CAPEC-644

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Use of Captured Hashes (Pass The Hash)

Description

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

Prerequisites

The system/application is connected to the Windows domain.

The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.

The adversary possesses known Windows credential hash value pairs that exist on the target domain.

Mitigations

Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Monitor system and domain logs for abnormal credential access.

Create a strong password policy and ensure that your system enforces this policy.

Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.

Skills Required

[Low] Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.