Description
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).
Platforms
Mitigations (1)
Password PoliciesM1027
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\Windows\System32\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. (Citation: Microsoft Install Password Filter n.d)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used net.exe in a script with <code>net accounts /domain</code> to find the password policy of a d... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used the NtdsAudit utility to collect information related to accounts and passwords.(Citation: NC... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) has used <code>net accounts</code> and <code>net accounts /domain</code> to acquire password policy inf... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0039 | Net | Tool | The <code>net accounts</code> and <code>net accounts /domain</code> commands with [Net](https://attack.mitre.org/software/S0039) can be used to obtain... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can discover the password policies applied to the target system.(Citation: CME Github Septembe... |
| S0236 | Kwampirs | Malware | [Kwampirs](https://attack.mitre.org/software/S0236) collects password policy information with the command <code>net accounts</code>.(Citation: Symante... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can use <code>Get-PassPol</code> to enumerate the domain password policy.(Citation: GitHub PoshC2) |
References
- Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021.
- Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.
- Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1201 (Password Policy Discovery)?
T1201 is a MITRE ATT&CK technique named 'Password Policy Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that a...
How can T1201 be detected?
Detection of T1201 (Password Policy Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1201?
There are 1 documented mitigations for T1201. Key mitigations include: Password Policies.
Which threat groups use T1201?
Known threat groups using T1201 include: OilRig, Chimera, Turla.