Skip to content

DET0105 Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools

Item Value
ID DET0105
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1110.002 (Password Cracking)

Analytics

Windows

AN0292

Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
HashToolName Match execution against known cracking toolnames like hashcat.exe, john.exe, etc.
FilePathIndicators Watch for access to common hash dump locations (e.g., SAM, SYSTEM, NTDS.dit)
ExecutionContext Run context: local interactive user vs. scheduled task or remote session

Linux

AN0293

Execution of hash cracking binaries or scripts (e.g., john, hashcat) following access to shadow file or dumped hashes

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Access (DC0055) linux:syslog auth.log or custom tool logs
Mutable Elements
Field Description
ShadowAccessPattern Access to /etc/shadow or known dumped hash files
CrackingBinaryPath Tool path or name associated with hash cracking
CPUUsageThreshold Sustained CPU load post-credential dump can be an indicator

macOS

AN0294

Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process and file events via log stream
Mutable Elements
Field Description
UnsignedBinaryPath Path to untrusted binaries launched by user
UserPrivilegeLevel Helps distinguish between system and user-launched activity

Identity Provider

AN0295

Sudden valid logins from accounts that previously had credentials dumped but had not authenticated successfully in the past; correlated with timeline of suspected hash cracking

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) azure:signinlogs Success logs from high-risk accounts
Mutable Elements
Field Description
PostDumpTimeWindow Detection window after credential dumping to watch for successful logins
LoginLocationRisk Use IP/geolocation risk scoring to flag unusual access

Network Devices

AN0296

Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) networkdevice:syslog config access, authentication logs
Mutable Elements
Field Description
LogonTimeCorrelation Window to link credential theft and reuse
SourceDeviceTag Filters based on where cracking may have occurred externally