Execution Flow
1) Explore
[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
Technique
- An adversary purchases breached Windows credential hash value pairs from the dark web.
- An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
- An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
- An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
2) Experiment
[Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.
Technique
- Manually or automatically enter each Windows credential hash value pair through the target's interface.
3) Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
4) Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
5) Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
Prerequisites
The system/application is connected to the Windows domain.
The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
The adversary possesses known Windows credential hash value pairs that exist on the target domain.
Skills Required
Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.
Resources Required
A list of known Window credential hash value pairs for the targeted domain.
Mitigations
Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.
Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.
Monitor system and domain logs for abnormal credential access.
Create a strong password policy and ensure that your system enforces this policy.
Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-522 |
Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
CWE-836 |
Use of Password Hash Instead of Password for Authentication The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
CWE-308 |
Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
CWE-294 |
Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
CWE-308 |
Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
References
REF-575
Attackers can use Zoom to steal users’ Windows credentials with no warning
Dan Goodin.
https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/ REF-580
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers
Mor Levi, Assaf Dahan, Amit Serper.
https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers REF-581
Mitigating Pass-the-Hash and Other Credential Theft v2
https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN REF-582
How Pass-the-Hash works
https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN REF-583
Pass-the-hash attacks: Tools and Mitigation
Bashar Ewaida.
https://www.sans.org/reading-room/whitepapers/testing/paper/33283
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
|
2018-07-31 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2020-07-30 +00:00 |
Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Description, Extended_Description |
CAPEC Content Team |
The MITRE Corporation |
2022-09-29 +00:00 |
Updated Description |