Password Policy Discovery
Password Policy Discovery [T1201]
Last updated
Password Policy Discovery [T1201]
Last updated
Name: Password Policy Discovery
ID: T1201
Tactics:
Password Policy Discovery is categorized under the MITRE ATT&CK Framework as Technique T1201. It involves adversaries attempting to discover password policies enforced within a targeted environment. These policies typically include password complexity requirements, password expiration intervals, account lockout thresholds, and history retention. By understanding these policies, attackers can tailor brute-force or password spraying attempts to evade detection and increase their chances of successful credential compromise.
Password Policy Discovery is a reconnaissance technique used by adversaries to understand the password requirements of a targeted organization. Attackers typically employ several methods to identify password policies:
Windows Domain Enumeration:
Tools such as net accounts, net accounts /domain, and PowerShell cmdlets (e.g., Get-ADDefaultDomainPasswordPolicy) can enumerate password policies on Windows Active Directory domains.
Attackers may utilize built-in Windows utilities or custom scripts to extract this information from domain controllers.
LDAP Queries:
Attackers may execute Lightweight Directory Access Protocol (LDAP) queries against domain controllers to retrieve password policy details.
Common tools include ldapsearch, PowerShell scripts, or custom-developed tools.
Group Policy Object (GPO) Analysis:
Attackers may attempt to access and analyze Group Policy Objects stored within SYSVOL shares (\\<DOMAIN>\SYSVOL) to identify password policies and security settings.
Tools such as BloodHound, PowerSploit, or manual enumeration can facilitate this analysis.
Web Applications and Portals:
Web-based applications or authentication portals may inadvertently disclose password policy requirements during user registration, password reset pages, or error messages.
Attackers may also use automated web crawling tools to scan for publicly accessible password policy information.
Third-party Software and Configuration Files:
Attackers may review configuration files or documentation available publicly or internally (via compromised credentials or initial access) that outlines password policy settings.
By obtaining this information, adversaries can optimize their password guessing strategies, minimizing failed login attempts and reducing the risk of triggering account lockouts or detection mechanisms.
Password Policy Discovery is frequently utilized during the initial reconnaissance phases of an attack, particularly when adversaries seek to perform credential-based attacks. Common scenarios and stages include:
Initial Reconnaissance:
Attackers gather information to understand the target organization's security posture and authentication mechanisms prior to launching credential attacks.
Credential Access Phase:
Adversaries use discovered password policies to optimize password spraying, brute-force attacks, or credential stuffing attempts, increasing their likelihood of success.
Persistence and Privilege Escalation:
Once initial access is achieved, attackers may again review password policies to craft effective password reset or privilege escalation strategies.
Lateral Movement:
Understanding password complexity and expiration policies helps attackers maintain access by predicting password changes or targeting accounts with weaker password requirements.
Detecting Password Policy Discovery can be challenging, as enumerating password policies often involves legitimate tools and commands. However, organizations can identify suspicious reconnaissance activity through the following detection methods:
Monitoring Command Execution:
Monitor and alert on the execution of commands such as net accounts, net accounts /domain, Get-ADDefaultDomainPasswordPolicy, and LDAP queries from unusual sources or at unusual times.
Log Analysis and SIEM Integration:
Aggregate and analyze Windows Event Logs, especially Security logs (Event ID 4661, 4662) and Directory Service Access logs, for unusual enumeration activities or unauthorized access attempts.
Integrate logs into Security Information and Event Management (SIEM) solutions for correlation and alerting.
Behavioral Analytics and Anomaly Detection:
Implement User and Entity Behavior Analytics (UEBA) solutions to detect anomalous enumeration behaviors indicative of reconnaissance activities.
Network Traffic Analysis:
Inspect LDAP traffic and SMB access to SYSVOL shares for unusual queries or access patterns.
Deploy network intrusion detection systems (IDS) or network traffic analysis tools to detect anomalous LDAP queries or enumeration attempts.
Endpoint Detection and Response (EDR):
Deploy EDR solutions to monitor and detect suspicious execution of enumeration scripts or tools on endpoints.
Execution of enumeration commands (net accounts, net accounts /domain, LDAP queries) from unknown or unauthorized systems.
Unusual SMB access to SYSVOL shares from non-administrative or unexpected accounts.
High volume of LDAP queries from single sources or unusual network segments.
Presence of reconnaissance scripts such as PowerSploit modules or BloodHound enumeration tools.
Early detection of Password Policy Discovery is crucial due to its role as a precursor to credential-based attacks. The importance and potential impacts include:
Credential Compromise Prevention:
Detecting enumeration attempts early can prevent subsequent credential attacks (password spraying, brute-force, credential stuffing), reducing the risk of unauthorized access.
Reducing Attack Surface:
Early identification of reconnaissance activity allows organizations to proactively strengthen password policies and implement additional security controls.
Preventing Privilege Escalation and Lateral Movement:
Timely detection prevents attackers from leveraging discovered password policies to escalate privileges, move laterally, or maintain persistence within the network.
Protecting Sensitive Information:
Credential compromise often leads to unauthorized access to sensitive data, intellectual property theft, or operational disruption.
Compliance and Regulatory Requirements:
Timely detection and response to reconnaissance activities help organizations maintain compliance with industry standards and regulatory frameworks, avoiding potential fines or penalties.
Real-world examples of Password Policy Discovery include:
APT29 (Cozy Bear):
Known to conduct extensive reconnaissance, including enumeration of password policies and Active Directory configurations, prior to launching credential-based attacks.
Utilized tools such as PowerShell scripts and publicly available enumeration utilities to gather password policy information.
FIN6 Cybercriminal Group:
Conducted reconnaissance activities, including password policy enumeration, to optimize credential attacks against retail and hospitality organizations.
Leveraged publicly available enumeration tools and custom scripts to tailor password spraying and brute-force attacks.
BloodHound Enumeration Tool:
Attackers frequently use BloodHound to enumerate Active Directory environments, including password policy details, to identify potential attack paths and vulnerabilities.
BloodHound graphically maps relationships and password policy settings, aiding attackers in planning credential-based attacks.
PowerSploit Framework:
PowerSploit contains modules specifically designed to enumerate Active Directory password policies and security settings, frequently leveraged by attackers for reconnaissance purposes.
Web Application Enumeration:
Attackers have leveraged exposed or misconfigured web applications that disclose password policy information via registration or password reset pages, allowing attackers to craft targeted password attacks.
In each scenario, adversaries leveraged Password Policy Discovery to enhance their attack effectiveness, reduce detection likelihood, and increase their chances of successful credential compromise and subsequent exploitation.