New to CAPEC? Start Here
Home > CAPEC List > CAPEC-644: Use of Captured Hashes (Pass The Hash) (Version 3.6)  

CAPEC-644: Use of Captured Hashes (Pass The Hash)

Attack Pattern ID: 644
Abstraction: Detailed
Status: Stable
Presentation Filter:
+ Description
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential (e.g. userID and password) hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.653Use of Known Windows Credentials
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.151Identity Spoofing
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.165File Manipulation
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.545Pull Data from System Resources
CanPrecedeMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.549Local Execution of Code
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

    Techniques
    An adversary purchases breached Windows credential hash value pairs from the dark web.
    An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
    An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
    An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
Experiment
  1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.

    Techniques
    Manually or automatically enter each Windows credential hash value pair through the target's interface.
Exploit
  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

+ Prerequisites
The system/application is connected to the Windows domain.
The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
The adversary possesses known Windows credential hash value pairs that exist on the target domain.
+ Skills Required
[Level: Low]
Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.
+ Resources Required
A list of known Window credential hash value pairs for the targeted domain.
+ Indicators
Authentication attempts use credentials that have been used previously by the account in question.
Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
Data is being transferred and/or removed from systems/applications within the network.
Suspicious or Malicious software is downloaded/installed on systems within the domain.
Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Access Control
Authentication
Gain Privileges
Confidentiality
Authorization
Read Data
Integrity
Modify Data
+ Mitigations
Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.
Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
Monitor system and domain logs for abnormal credential access.
Create a strong password policy and ensure that your system enforces this policy.
Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
+ Example Instances
Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]
Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1550.002Use Alternate Authentication Material:Pass The Hash
+ References
[REF-575] Dan Goodin. "Attackers can use Zoom to steal users’ Windows credentials with no warning". Ars Technica. 2020-04-01. <https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/>. URL validated: 2020-05-07.
[REF-580] Mor Levi, Assaf Dahan and Amit Serper. "Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers". CyberReason. 2019-06-25. <https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>. URL validated: 2020-05-07.
[REF-581] "Mitigating Pass-the-Hash and Other Credential Theft v2". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.
[REF-582] "How Pass-the-Hash works". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.
[REF-583] Bashar Ewaida. "Pass-the-hash attacks: Tools and Mitigation". The SANS Institute. 2010-02-23. <https://www.sans.org/reading-room/whitepapers/testing/paper/33283>. URL validated: 2020-05-07.
+ Content History
Submissions
Submission DateSubmitterOrganization
2018-07-31CAPEC Content Team
Modifications
Modification DateModifierOrganization
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings
More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 21, 2021