Home > CAPEC List > CAPEC-566: Dump Password Hashes (Version 3.0)  

CAPEC-566: Dump Password Hashes

Attack Pattern ID: 566
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary obtains a collection of password hashes through the use of automated utilities designed specifically for gathering this type of information. Examples of credential dumpers include: pwdump7, Windows Credential Editor, Mimikatz, and gsecdump. Current credential dumpers access the LSASS process to obtain credentials through a process open and may inject code into that process. A malicious process may inject into a process that is known to frequently access LSASS beforehand to evade whitelisting. NTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in memory copy of the SAM table before reading hashes. Excavated credential data is often moved from the target system to some other adversary controlled system. Data found on a target system (e.g., hashes) might require extensive resources to be fully analyzed. Using these resources on the target system might enable a defender to detect the adversary. Additionally, proper analysis tools required might not be available on the target system.
+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

+ Relevant to the view "Mechanisms of Attack" (CAPEC-1000)
ChildOfDeprecatedDeprecated567DEPRECATED: Obtain Data via Utilities
+ Prerequisites
An adversary has the ability use or install the desired tools.
+ Content History
Submission DateSubmitterOrganization
2015-11-09CAPEC Content TeamThe MITRE Corporation

More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018