Description
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A)
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
Hashcat Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (2)
Password PoliciesM1027
Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)
Multi-factor AuthenticationM1032
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Threat Groups (4)
| ID | Group | Context |
|---|---|---|
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: A... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has dropped and executed tools used for password cracking, including Hydra and [CrackMapExec](https... |
| G1045 | Salt Typhoon | [Salt Typhoon](https://attack.mitre.org/groups/G1045) has cracked passwords for accounts with weak encryption obtained from the configuration files of... |
| G0037 | FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0056 | Net Crawler | Malware | [Net Crawler](https://attack.mitre.org/software/S0056) uses a list of known credentials gathered through credential dumping to guess passwords to acco... |
References
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.
Frequently Asked Questions
What is T1110.002 (Password Cracking)?
T1110.002 is a MITRE ATT&CK technique named 'Password Cracking'. It belongs to the Credential Access tactic(s). Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](http...
How can T1110.002 be detected?
Detection of T1110.002 (Password Cracking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1110.002?
There are 2 documented mitigations for T1110.002. Key mitigations include: Password Policies, Multi-factor Authentication.
Which threat groups use T1110.002?
Known threat groups using T1110.002 include: APT3, Dragonfly, Salt Typhoon, FIN6.