Detailedlikelihood: Mediumseverity: HighStable

CAPEC-644Use of Captured Hashes (Pass The Hash)

Abstraction
Detailed
Status
Stable
Likelihood
Medium
Severity
High

Description

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. Metadata: detailed CAPEC pattern, status stable, likelihood medium, severity high. Underlying weaknesses: CWE-522, CWE-836, CWE-308, CWE-294, CWE-308. Mapped ATT&CK technique: [object Object]. Related CAPEC patterns: [object Object], [object Object], [object Object], [object Object] (and 1 more).

Related weaknesses· 5

CWE-522CWE-836CWE-308CWE-294CWE-308

MITRE ATT&CK crosswalk· 1

T1550.002: Use Alternate Authentication Material:Pass The Hash

Related attack patterns· 5

CAPEC-653 (ChildOf)CAPEC-151 (CanPrecede)CAPEC-165 (CanPrecede)CAPEC-549 (CanPrecede)CAPEC-545 (CanPrecede)

Exploits4

TypeTargetConfidenceTier
WeaknessInsufficiently Protected Credentialscwe-522100%live
WeaknessUse of Password Hash Instead of Password for Authenticationcwe-836100%live
WeaknessAuthentication Bypass by Capture-replaycwe-294100%live
WeaknessUse of Single-factor Authenticationcwe-308100%live

Related to1

TypeTargetConfidenceTier
SubTechniquePass the Hasht1550.002100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Use of Captured Tickets (Pass The Ticket)
CAPEC
Windows Admin Shares with Stolen Credentials
CAPEC
Use of Known Domain Credentials
CAPEC
Use of Known Operating System Credentials
Sub-technique
Pass the Hash
CAPEC
DEPRECATED: Dump Password Hashes
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.