| ID | Name |
|---|---|
| T1110.001 | Password Guessing |
| T1110.002 | Password Cracking |
| T1110.003 | Password Spraying |
| T1110.004 | Credential Stuffing |
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.[1]
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[2] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
| ID | Name | Description |
|---|---|---|
| G0022 | APT3 |
APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[3] |
| G0035 | Dragonfly |
Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.[4][5] |
| G0037 | FIN6 |
FIN6 has extracted password hashes from ntds.dit to crack offline.[6] |
| S0056 | Net Crawler |
Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[7] |
| C0002 | Night Dragon |
During Night Dragon, threat actors used Cain & Abel to crack password hashes.[8] |
| G1045 | Salt Typhoon |
Salt Typhoon has cracked passwords for accounts with weak encryption obtained from the configuration files of compromised network devices.[9] |
| ID | Mitigation | Description |
|---|---|---|
| M1032 | Multi-factor Authentication |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| M1027 | Password Policies |
Refer to NIST guidelines when creating password policies. [10] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0105 | Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools | AN0292 |
Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files |
| AN0293 |
Execution of hash cracking binaries or scripts (e.g., john, hashcat) following access to shadow file or dumped hashes |
||
| AN0294 |
Unsigned or scripting-based processes invoking password cracking binaries or accessing hashed credential artifacts post-login |
||
| AN0295 |
Sudden valid logins from accounts that previously had credentials dumped but had not authenticated successfully in the past; correlated with timeline of suspected hash cracking |
||
| AN0296 |
Offline cracking inferred by subsequent successful CLI or web-based authentications into routers or switches from previously dumped accounts |