{ "id": "9592d0cc-c9f9-418d-b1c7-ffb9dfb77adf", "created_at": "2026-04-06T00:10:24.113207Z", "updated_at": "2026-04-10T03:33:18.706008Z", "deleted_at": null, "sha1_hash": "73172ecb42ead8e86c0e86ebe5e6c52076465ba9", "title": "CAPEC-644: Use of Captured Hashes (Pass The Hash) (Version 3.9)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49284, "plain_text": "CAPEC-644: Use of Captured Hashes (Pass The Hash) (Version\r\n3.9)\r\nArchived: 2026-04-05 17:37:39 UTC\r\n Description\r\nAn adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access\r\nsystems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication\r\nprotocols.\r\n Extended Description\r\nWhen authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the\r\nprotocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication\r\nattempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a\r\nsystem or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values.\r\nSuccessful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can\r\nfurther allow the adversary to laterally move within the network, impersonate a legitimate user, and/or\r\ndownload/install malware to systems within the domain. This technique can be performed against any operating\r\nsystem that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these\r\nsystems/accounts may still authenticate to a Windows domain.\r\n Likelihood Of Attack\r\n Typical Severity\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and\r\nlower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to\r\nshow similar attack patterns that the user may want to explore.\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\n Execution Flow\r\nExplore\r\n1. Acquire known Windows credential hash value pairs: The adversary must obtain known Windows\r\ncredential hash value pairs of accounts that exist on the domain.\r\nTechniques\r\nhttps://capec.mitre.org/data/definitions/644.html\r\nPage 1 of 5\n\nAn adversary purchases breached Windows credential hash value pairs from the dark web.\r\nAn adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are\r\ntransmitted.\r\nAn adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash\r\nvalue pairs.\r\nAn adversary examines outward-facing configuration and properties files to discover hardcoded\r\nWindows credential hash value pairs.\r\nExperiment\r\n1. Attempt domain authentication: Try each Windows credential hash value pair until the target grants\r\naccess.\r\nTechniques\r\nManually or automatically enter each Windows credential hash value pair through the target's interface.\r\nExploit\r\n1. Impersonate: An adversary can use successful experiments or authentications to impersonate an\r\nauthorized user or system, or to laterally move within the domain\r\n2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The\r\nadversary can also pose as a legitimate domain user to perform social engineering attacks.\r\n3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or\r\napplications.\r\n Prerequisites\r\nThe system/application is connected to the Windows domain.\r\nThe system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.\r\nThe adversary possesses known Windows credential hash value pairs that exist on the target domain.\r\n Skills Required\r\n[Level: Low]\r\nOnce an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.\r\n Resources Required\r\nA list of known Window credential hash value pairs for the targeted domain.\r\nhttps://capec.mitre.org/data/definitions/644.html\r\nPage 2 of 5\n\nIndicators\r\nAuthentication attempts use credentials that have been used previously by the account in question.\r\nAuthentication attempts are originating from IP addresses or locations that are inconsistent with the user's\r\nnormal IP addresses or locations.\r\nData is being transferred and/or removed from systems/applications within the network.\r\nSuspicious or Malicious software is downloaded/installed on systems within the domain.\r\nMessages from a legitimate user appear to contain suspicious links or communications not consistent with the\r\nuser's normal behavior.\r\n Consequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies\r\nthe security property that is violated, while the Impact describes the negative technical impact that arises if an\r\nadversary succeeds in their attack. The Likelihood provides information about how likely the specific\r\nconsequence is expected to be seen relative to the other consequences in the list. For example, there may be high\r\nlikelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to\r\nachieve a different impact.\r\nScope Impact Likelihood\r\nConfidentiality\r\nAccess Control\r\nAuthentication\r\nGain Privileges\r\nConfidentiality\r\nAuthorization\r\nRead Data\r\nIntegrity Modify Data\r\n Mitigations\r\nPrevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to\r\nWindows 7 and higher systems.\r\nhttps://capec.mitre.org/data/definitions/644.html\r\nPage 3 of 5\n\nLeverage multi-factor authentication for all authentication services and prior to granting an entity access to the\r\ndomain network.\r\nMonitor system and domain logs for abnormal credential access.\r\nCreate a strong password policy and ensure that your system enforces this policy.\r\nLeverage system penetration testing and other defense in depth methods to determine vulnerable systems\r\nwithin a domain.\r\n Example Instances\r\nAdversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to\r\nexfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending\r\nUniversal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the\r\nvictim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent\r\nto the address contained in the link. The adversary was then able to infiltrate and laterally move within the\r\nWindows domain by passing the acquired credentials to shared network resources. This further provided\r\nadversaries with access to Outlook servers and network storage devices. [REF-575]\r\nOperation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that\r\ndumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the\r\nnetwork via Pass The Hash attacks. [REF-580]\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has\r\nrelevant ATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as\r\npart of the mapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping\r\nEntry ID Entry Name\r\n1550.002 Use Alternate Authentication Material:Pass The Hash\r\n References\r\n Content History\r\nSubmissions\r\nSubmission\r\nDate\r\nSubmitter Organization\r\nhttps://capec.mitre.org/data/definitions/644.html\r\nPage 4 of 5\n\n2018-07-31\r\n(Version 2.12)\r\nCAPEC Content Team\r\nModifications\r\nModification\r\nDate\r\nModifier Organization\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Consequences, Description, Example_Instances, Execution_Flow, Indicators,\r\nLikelihood_Of_Attack, Mitigations, Prerequisites, References, Related_Attack_Patterns,\r\nRelated_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings\r\n2022-02-22\r\n(Version 3.7)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description, Extended_Description\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/644.html\r\nhttps://capec.mitre.org/data/definitions/644.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://capec.mitre.org/data/definitions/644.html" ], "report_names": [ "644.html" ], "threat_actors": [ { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434224, "ts_updated_at": 1775791998, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73172ecb42ead8e86c0e86ebe5e6c52076465ba9.pdf", "text": "https://archive.orkl.eu/73172ecb42ead8e86c0e86ebe5e6c52076465ba9.txt", "img": "https://archive.orkl.eu/73172ecb42ead8e86c0e86ebe5e6c52076465ba9.jpg" } }