Skip to content

T1110.002 Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.1

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.2 The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

Item Value
ID T1110.002
Sub-techniques T1110.001, T1110.002, T1110.003, T1110.004
Tactics TA0006
Platforms Azure AD, Linux, Network, Office 365, Windows, macOS
Version 1.2
Created 11 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0022 APT3 APT3 has been known to brute force password hashes to be able to leverage plain text credentials.6
G0096 APT41 APT41 performed password brute-force attacks on the local admin account.9
G0035 Dragonfly Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.78
G0037 FIN6 FIN6 has extracted password hashes from ntds.dit to crack offline.5
S0056 Net Crawler Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.4
C0002 Night Dragon During Night Dragon, threat actors used Cain & Abel to crack password hashes.10


ID Mitigation Description
M1032 Multi-factor Authentication Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
M1027 Password Policies Refer to NIST guidelines when creating password policies. 3


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0002 User Account User Account Authentication