Technique on mitre.org

T1110.002: Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.

Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

Positive Technologies products that cover the technique

Detection

PT NAD can automatically retrieve credentials transmitted via multiple protocols (like HTTP, FTP, Kerberos, NTLM, database protocols, or RDP) and in most cases identify the authentication result. This allows to discover brute-force attacks including password spraying (using modules of the activity stream) and usage of weak or dictionary passwords. Moreover, there are special rules to detect brute-force attacks including password spraying for particular services.

Examples of PT NAD detection rules

TOOLS [PTsecurity] RDP bruteforce by xfreerdp-like tool (7 in a minute) (sid 10006256)
LOGIN [PTsecurity] Wordpress Login BruteForce (30 attempts in 10 mins) (sid 10003141)

Examples of PT NAD detection modules

Dictionary passwords
Bruteforcing and password spraying

Detection

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.

ID	Data source and component	Description
DS0002	User Account: User Account Authentication	Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. (ex: Windows EID 4625 or 5379)
DS0015	Application Log: Application Log Content	Monitor authentication logs for system and application login failures of Valid Accounts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.

Mitigation

ID	M1027	Name	Password Policies	Description	Refer to NIST guidelines when creating password policies.

ID	M1032	Name	Multi-factor Authentication	Description	Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

ID	Name	Description
M1027	Password Policies	Refer to NIST guidelines when creating password policies.
M1032	Multi-factor Authentication	Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.