CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
Last updated
Overview
When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
- An adversary purchases breached Windows credential hash value pairs from the dark web.
- An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
- Step 2Experiment
[Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.
- Manually or automatically enter each Windows credential hash value pair through the target's interface.
- Step 3Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
- Step 4Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
- Step 5Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
What the attacker needs
Prerequisites
- The system/application is connected to the Windows domain.
- The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
- The adversary possesses known Windows credential hash value pairs that exist on the target domain.
Skills required
- Low skill: Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.
Resources required
- A list of known Window credential hash value pairs for the targeted domain.
Consequences
What a successful CAPEC-644 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authentication
Read Data
Affects: Confidentiality, Authorization
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-644.
- Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.
- Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
- Monitor system and domain logs for abnormal credential access.
- Create a strong password policy and ensure that your system enforces this policy.
- Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
How to detect it
Indicators that this attack may be underway.
- Authentication attempts use credentials that have been used previously by the account in question.
- Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
- Data is being transferred and/or removed from systems/applications within the network.
- Suspicious or Malicious software is downloaded/installed on systems within the domain.
- Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
Examples
Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]
Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]
Terminology & mappings
Mapped taxonomies
- ATTACK: Use Alternate Authentication Material:Pass The Hash (1550.002)
Frequently asked questions
Common questions about CAPEC-644.
- What is CAPEC-644?
- An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
- How does a Use of Captured Hashes (Pass The Hash) attack work?
- It typically unfolds over 5 phases. It begins with: [Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
- How do you prevent CAPEC-644?
- Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.
- What weaknesses does CAPEC-644 target?
- CAPEC-644 exploits 4 CWE weaknesses, including CWE-294 (Authentication Bypass by Capture-replay), CWE-308 (Use of Single-factor Authentication), CWE-522 (Insufficiently Protected Credentials), CWE-836 (Use of Password Hash Instead of Password for Authentication).
- How severe is CAPEC-644?
- MITRE rates CAPEC-644 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-644
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.