T1110.002 Password Cracking
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.1
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.2 The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
| Item | Value |
|---|---|
| ID | T1110.002 |
| Sub-techniques | T1110.001, T1110.002, T1110.003, T1110.004 |
| Tactics | TA0006 |
| CAPEC ID | CAPEC-55 |
| Platforms | Azure AD, Linux, Network, Office 365, Windows, macOS |
| Version | 1.2 |
| Created | 11 February 2020 |
| Last Modified | 19 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 | APT3 has been known to brute force password hashes to be able to leverage plain text credentials.7 |
| G0096 | APT41 | APT41 performed password brute-force attacks on the local admin account.8 |
| G0035 | Dragonfly | Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.56 |
| G0037 | FIN6 | FIN6 has extracted password hashes from ntds.dit to crack offline.9 |
| S0056 | Net Crawler | Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| M1027 | Password Policies | Refer to NIST guidelines when creating password policies. 3 |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0002 | User Account | User Account Authentication |
References
-
US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. ↩
-
Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015. ↩
-
Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019. ↩
-
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017. ↩
-
Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. ↩