CAPEC Details
Name Use of Captured Hashes (Pass The Hash)
Likelyhood of attack Typical severity
Medium High
Summary An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential (e.g. userID and password) hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
Prerequisites The system/application is connected to the Windows domain. The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. The adversary possesses known Windows credential hash value pairs that exist on the target domain.
Execution Flow
Step Phase Description Techniques
1 Explore [Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
  • An adversary purchases breached Windows credential hash value pairs from the dark web.
  • An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
  • An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
  • An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
2 Experiment [Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.
  • Manually or automatically enter each Windows credential hash value pair through the target's interface.
3 Exploit [Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
4 Exploit [Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
5 Exploit [Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
Solutions Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems. Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network. Monitor system and domain logs for abnormal credential access. Create a strong password policy and ensure that your system enforces this policy. Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
Related Weaknesses
CWE ID Description
CWE-294 Authentication Bypass by Capture-replay
CWE-308 Use of Single-factor Authentication
CWE-308 Use of Single-factor Authentication
CWE-522 Insufficiently Protected Credentials
CWE-836 Use of Password Hash Instead of Password for Authentication
Related CAPECS
CAPEC ID Description
CAPEC-151 Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.
CAPEC-165 An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.
CAPEC-545 An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.
CAPEC-549 An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
CAPEC-653 An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input.
Taxonomy: ATTACK
Entry ID Entry Name
1550.002 Use Alternate Authentication Material:Pass The Hash