An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.
Description
Attack Execution Flow
5
1
Step 1
Explore[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.
An adversary purchases breached Windows credential hash value pairs from the dark web.
An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.
AI Translation
[Acquisisci coppie di valori hash delle credenziali Windows note] L'avversario deve ottenere coppie di valori hash delle credenziali Windows di account esistenti nel dominio.
Un avversario acquista coppie di valori hash delle credenziali Windows violate dal dark web.
Un avversario conduce un attacco di sniffing per rubare coppie di valori hash delle credenziali Windows durante la trasmissione.
Un avversario ottiene accesso a sistemi/file del dominio Windows ed esfiltra coppie di valori hash delle credenziali Windows.
Un avversario esamina i file di configurazione e proprietà esposti all'esterno per scoprire coppie di valori hash delle credenziali Windows hardcoded.
Attack Techniques
-
An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.
-
An adversary purchases breached Windows credential hash value pairs from the dark web.IT: Un adversario conduce un attacco di sniffing per rubare le coppie di hash delle credenziali di Windows mentre vengono trasmesse.
-
An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.IT: Un adversario conduce un attacco di sniffing per rubare le coppie di hash delle credenziali di Windows mentre vengono trasmesse.
-
An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.IT: Un adversario conduce un attacco di sniffing per rubare le coppie di hash delle credenziali di Windows mentre vengono trasmesse.
2
Step 2
Experiment[Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.
Manually or automatically enter each Windows credential hash value pair through the target's interface.
AI Translation
[Tentativo di autenticazione del dominio] Prova ogni coppia di valori hash delle credenziali Windows fino a quando il target concede l'accesso.
Inserisci manualmente o automaticamente ogni coppia di valori hash delle credenziali Windows tramite l'interfaccia del target.
Attack Techniques
-
Manually or automatically enter each Windows credential hash value pair through the target's interface.
3
Step 3
Exploit[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
AI Translation
[Impersonate] Un avversario può utilizzare esperimenti o autenticazioni riuscite per impersonare un utente o sistema autorizzato, o per muoversi lateralmente all’interno del dominio
4
Step 4
Exploit[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
AI Translation
[Spoofing] Dati dannosi possono essere iniettati nel sistema target o in altri sistemi del dominio. L'attore malevolo può anche impersonare un utente legittimo del dominio per eseguire attacchi di social engineering.
5
Step 5
Exploit[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
AI Translation
[Data Exfiltration] L'avversario può ottenere dati sensibili contenuti nei sistemi o nelle applicazioni di dominio.
Mitigations
5
Create A Strong Password Policy And Ensure That Your System Enforces This Policy.
Leverage Multi-Factor Authentication For All Authentication Services And Prior To Granting An Entity Access To The Domain Network.
Leverage System Penetration Testing And Other Defense In Depth Methods To Determine Vulnerable Systems Within A Domain.
Monitor System And Domain Logs For Abnormal Credential Access.
Prevent The Use Of Lan Man And Nt Lan Man Authentication On Severs And Apply Patch Kb2871997 To Windows 7 And Higher Systems.
Consequences
Security Scopes Affected
Access Control
Authentication
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Indicators
5
Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.
Suspicious or Malicious software is downloaded/installed on systems within the domain.
Data is being transferred and/or removed from systems/applications within the network.
Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
Authentication attempts use credentials that have been used previously by the account in question.
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1550.002
Pass the Hash
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. …
Resources Required
1
A list of known Window credential hash value pairs for the targeted domain.