homepage
Open menu
Contact Sales

Mike Pilkington

Mike has been an instructor for the SANS Institute since 2008. He is a co-author for the Enterprise-Class Incident Response & Threat Hunting (FOR608) and currently teaches Windows Forensics In-Depth(FOR500) and Advanced Digital Forensics and Incident Response (FOR508). In addition to teaching and co-authoring, Mike is a dedicated researcher and has published numerous articles for the SANS Forensics Blog. After spending much of his career working in large corporate environments in the oil & gas industry (he previously led and US incident response team at Shell), Mike joined SANS in 2017 as a full-time researcher in the SANS Research Operations Center (SROC). His current role focuses on R&D projects in support of the Digital Forensics and Incident Response program.

More About Mike
Specialties
Photo

Profile

Curiosity wins the day! That is Mike Pilkington's teaching philosophy, because from his perspective, you have to be inspired and excited about solving difficult cases if you want to be great at forensics. As Mike says, "you have to be willing to search for the answers that others can't or won't find." Mike's infectious enthusiasm for digital forensics comes through in his work, in his classes, and in his day-to-day life. It's clear that his hobby and his job are one in the same.

Before joining SANS full-time, Mike led the US incident response team and the global internal investigations forensics team at Shell. Prior to Shell, Mike had several roles in IT at Halliburton, including senior incident responder for the last several years of his tenure there. Mike's core responsibilities were responding to malware and intrusion cases, leading various enterprise DFIR tooling projects, and consulting with internal groups on security reviews and initiatives.

Over the years, Mike has accumulated a broad range of technical expertise, having spent significant time performing software quality assurance, Windows systems administration, LAN and WAN network administration, firewall and IDS/IPS security administration, computer forensic analysis, and incident response. As a forensic analyst, he worked HR investigations, including cases involving intellectual property theft, inappropriate use of the Internet, employee hacking, IT administrator privilege abuse, and illegal downloading of copyrighted materials. Mike is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

Mike holds a bachelor's degree in mechanical engineering from the University of Texas, as well as numerous IT security certifications.

Qualifications Summary:

  • Deep background in corporate cybersecurity
  • SANS instructor since 2008
  • Professional qualifications: GCFA, GCFE, GNFA, GREM, GCTI, EnCE, CISSP

Get to Know Mike Pilkington:

  • Mike's DFIR articles are available at https://digital-forensics.sans.org/blog/author/mpilkington
  • Mike co-authored the SANS Forensics "Find Evil" and "Hunt Evil" posters
  • Mike created an example forensics report for SANS FOR500 students (available upon request)
  • In addition to regularly presenting six-day SANS forensics classes, Mike's additional speaking engagements include the SANS DFIR Summit, SANS conferences, MIRcon, ISSA, and HTCIA

Listen to Mike discuss Privileged Domain Account Protection: How to Limit Credentials Exposure in this SANS webcast.

Mike's Contributions

Blog
Monitoring for Delegation Token Theft
Delegation is a powerful feature of Windows authentication which allows one remote system to effectively forward a user's credentials to another remote system. This is sometimes referred to as the "double-hop". This great power does not come without great risk however, as the delegation access...
Mike Pilkington
Senior Instructor
read more
Blog
Kerberos in the Crosshairs: Golden Tickets, Silver Tickets, MITM, and More
It's been a rough year for Microsoft's Kerberos implementation. The culmination was last week when Microsoft announced critical vulnerability MS14-068. In short, this vulnerability allows any authenticated user to elevate their privileges to domain admin rights. The issues discussed in this article...
Mike Pilkington
Senior Instructor
read more
Blog
Protecting Privileged Domain Accounts: Restricted Admin and Protected Users
It's been a while since I've written about this topic, and in that time, there have been some useful security updates provided by Microsoft, as well as some troubling developments with Microsoft's Kerberos implementation. In order to fully cover these topics, I'm going to split the discussion into...
Mike Pilkington
Senior Instructor
read more
Blog
The Power of PowerShell Remoting
PowerShell "Remoting" is a feature that holds a lot of promise for incident response. "Remoting" is the ability to run PowerShell commands directly on remote systems and have just the results sent back to the querying machine. From an IR standpoint, this is like a built-in agent ready and waiting...
Mike Pilkington
Senior Instructor
read more
Blog
Overview of Microsoft`s "Best Practices for Securing Active Directory"
As incident responders, we are often called upon to not only supply answers regarding "Who, What, When, Where, and How" an incident occurred, but also how does the organization protect itself against future attacks of a similar nature? In other words, what are the lessons learned and...
Mike Pilkington
Senior Instructor
read more
Blog
Protecting Privileged Domain Accounts: PsExec Deep-Dive
[Author's Note: This is the 6th in a multi-part series on the topic of "Protecting Privileged Domain Accounts". My primary goal is to help incident responders protect their privileged accounts when interacting with comprised hosts, though I also believe this information will be useful to anyone...
Mike Pilkington
Senior Instructor
read more