valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b87010e92
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1075.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

2.0 KiB
Raw Blame History

T1075 - Pass the Hash

Description from ATT&CK

Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)

Atomic Tests


Atomic Test #1 - Mimikatz Pass the Hash

Note: must dump hashes first Reference

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name username string Administrator
domain domain string atomic.local
ntlm ntlm hash string cc36cf7a8514893efccd3324464tkg1a

Run it with command_prompt!

mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}


Atomic Test #2 - Mimikatz Kerberos Ticket Attack

Similar to PTH, but attacking Kerberos

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name username string Administrator
domain domain string atomic.local

Run it with command_prompt!

mimikatz # kerberos::ptt #{user_name}@#{domain}