Dark Mode

Settings

Capec-644 Detail

Use of Captured Hashes (Pass The Hash)

Detailed Software Likelihood: Medium Typical Severity: High

Parents: 653

Threats: T71 T75 T279 T283 T385 T388 T398 T402

Description

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
External ID Source Link Description
CAPEC-644 capec https://capec.mitre.org/data/definitions/644.html
CWE-522 cwe http://cwe.mitre.org/data/definitions/522.html
CWE-836 cwe http://cwe.mitre.org/data/definitions/836.html
CWE-308 cwe http://cwe.mitre.org/data/definitions/308.html
CWE-294 cwe http://cwe.mitre.org/data/definitions/294.html
CWE-308 cwe http://cwe.mitre.org/data/definitions/308.html
T1550.002 ATTACK https://attack.mitre.org/wiki/Technique/T1550/002 Use Alternate Authentication Material:Pass The Hash
REF-575 reference_from_CAPEC https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/ Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica
REF-580 reference_from_CAPEC https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason
REF-581 reference_from_CAPEC https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation
REF-582 reference_from_CAPEC https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN How Pass-the-Hash works, Microsoft Corporation
REF-583 reference_from_CAPEC https://www.sans.org/reading-room/whitepapers/testing/paper/33283 Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute
Explore

  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    2. Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
Experiment

  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    2. Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.
Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

  1. The system/application is connected to the Windows domain.
  2. The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
  3. The adversary possesses known Windows credential hash value pairs that exist on the target domain.
  1. A list of known Window credential hash value pairs for the targeted domain.
Low
Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.
Integrity Authorization Access Control Authentication Confidentiality
Modify Data Read Data Gain Privileges Gain Privileges Gain Privileges
Read Data
  1. Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net- NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]
  2. Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]

We use cookies to ensure you get the best experience on our website.