Home > CAPEC List > CAPEC-566: Dump Password Hashes (Version 2.11)  

CAPEC-566: Dump Password Hashes

Dump Password Hashes
Definition in a New Window Definition in a New Window
Attack Pattern ID: 566
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An adversary obtains a collection of password hashes through the use of automated utilities designed specifically for gathering this type of information. Examples of credential dumpers include: pwdump7, Windows Credential Editor, Mimikatz, and gsecdump.

Current credential dumpers access the LSASS process to obtain credentials through a process open and may inject code into that process. A malicious process may inject into a process that is known to frequently access LSASS beforehand to evade whitelisting. NTLM hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in memory copy of the SAM table before reading hashes.

Excavated credential data is often moved from the target system to some other adversary controlled system. Data found on a target system (e.g., hashes) might require extensive resources to be fully analyzed. Using these resources on the target system might enable a defender to detect the adversary. Additionally, proper analysis tools required might not be available on the target system.

+ Attack Prerequisites
  • An adversary has the ability use or install the desired tools.

+ Content History
CAPEC Content TeamThe MITRE Corporation2015-11-09Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017