Find sigma rule
Attack: Password Policy Discovery
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as ‘pass123’; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain)
, Get-ADDefaultDomainPasswordPolicy
, chage -l
cat /etc/pam.d/common-password
, and pwpolicy getaccountpolicies
(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. show aaa
, show aaa common-criteria policy all
).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy
in AWS (Citation: AWS GetPasswordPolicy).
MITRE
Tactic
- discovery
technique
- T1201
Test : Get-DomainPolicy with PowerView
OS
- windows
Description:
Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_progname.yml (id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6)
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_directoryservices_accountmanagement.yml (id: b29a93fb-087c-4b5b-a84d-ee3309e69d08)
-
posh_ps_request_kerberos_ticket.yml (id: a861d835-af37-4930-bcd6-5b178bfb54df)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)