CAPEC - CAPEC-644: Use of Captured Hashes (Pass The Hash) (Version 3.9)


Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks

Home > CAPEC List > CAPEC-644: Use of Captured Hashes (Pass The Hash) (Version 3.9)

CAPEC-644: Use of Captured Hashes (Pass The Hash)

Attack Pattern ID: 644

Abstraction: Detailed

View customized information:

Description

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	653	Use of Known Operating System Credentials
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	151	Identity Spoofing
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	165	File Manipulation
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	545	Pull Data from System Resources
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	549	Local Execution of Code

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Subvert Access Control

Execution Flow

Explore

Acquire known Windows credential hash value pairs: The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.

Techniques
An adversary purchases breached Windows credential hash value pairs from the dark web.
An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.

Experiment

Attempt domain authentication: Try each Windows credential hash value pair until the target grants access.
Techniques
Manually or automatically enter each Windows credential hash value pair through the target's interface.

Exploit

Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

Prerequisites

The system/application is connected to the Windows domain.

The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

The adversary possesses known Windows credential hash value pairs that exist on the target domain.

Skills Required

[Level: Low]

Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.

Resources Required

A list of known Window credential hash value pairs for the targeted domain.

Indicators

Authentication attempts use credentials that have been used previously by the account in question.

Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.

Data is being transferred and/or removed from systems/applications within the network.

Suspicious or Malicious software is downloaded/installed on systems within the domain.

Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.

Consequences

This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Confidentiality Access Control Authentication	Gain Privileges
Confidentiality Authorization	Read Data
Integrity	Modify Data

Mitigations

Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Monitor system and domain logs for abnormal credential access.

Create a strong password policy and ensure that your system enforces this policy.

Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.

Example Instances

Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]

Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]

Related Weaknesses

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
522	Insufficiently Protected Credentials
836	Use of Password Hash Instead of Password for Authentication
308	Use of Single-factor Authentication
294	Authentication Bypass by Capture-replay
308	Use of Single-factor Authentication

Taxonomy Mappings

CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1550.002	Use Alternate Authentication Material:Pass The Hash

References

[REF-575] Dan Goodin. "Attackers can use Zoom to steal users’ Windows credentials with no warning". Ars Technica. 2020-04-01. <https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/>. URL validated: 2020-05-07.

[REF-580] Mor Levi, Assaf Dahan and Amit Serper. "Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers". CyberReason. 2019-06-25. <https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers>. URL validated: 2020-05-07.

[REF-581] "Mitigating Pass-the-Hash and Other Credential Theft v2". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.

[REF-582] "How Pass-the-Hash works". Microsoft Corporation. <https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN>. URL validated: 2020-05-07.

[REF-583] Bashar Ewaida. "Pass-the-hash attacks: Tools and Mitigation". The SANS Institute. 2010-02-23. <https://www.sans.org/reading-room/whitepapers/testing/paper/33283>. URL validated: 2020-05-07.

Content History

Submissions
Submission Date	Submitter	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team

Modifications
Modification Date	Modifier	Organization
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
Updated Description, Extended_Description
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
Updated Description

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2026, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

Common Attack Pattern Enumeration and Classification

CAPEC-644: Use of Captured Hashes (Pass The Hash)