CAPEC-644: Use of Captured Hashes (Pass The Hash)
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
执行流程
步骤 1 Explore
[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
- An adversary purchases breached Windows credential hash value pairs from the dark web.
- An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
步骤 2 Experiment
[Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.
- Manually or automatically enter each Windows credential hash value pair through the target's interface.
步骤 3 Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
步骤 4 Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
步骤 5 Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
前提条件
- The system/application is connected to the Windows domain.
- The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
- The adversary possesses known Windows credential hash value pairs that exist on the target domain.
所需技能
所需资源
- A list of known Window credential hash value pairs for the targeted domain.
后果影响
影响范围: Confidentiality Access Control Authentication
技术影响: Gain Privileges
影响范围: Confidentiality Authorization
技术影响: Read Data
影响范围: Integrity
技术影响: Modify Data
缓解措施
Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.
Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
Monitor system and domain logs for abnormal credential access.
Create a strong password policy and ensure that your system enforces this policy.
Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
示例实例
Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]
Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1550.002 | Use Alternate Authentication Material:Pass The Hash |