Find sigma rule
Attack: Password Policy Discovery
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as ‘pass123’; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain)
, Get-ADDefaultDomainPasswordPolicy
, chage -l
cat /etc/pam.d/common-password
, and pwpolicy getaccountpolicies
(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to discover password policy information (e.g. show aaa
, show aaa common-criteria policy all
).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy
in AWS (Citation: AWS GetPasswordPolicy).
MITRE
Tactic
- discovery
technique
- T1201
Test : Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
OS
- windows
Description:
The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy. Upon successful execution a listing of the policy implemented will display. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
Executor
powershell
Sigma Rule
-
posh_ps_susp_get_addefaultdomainpasswordpolicy.yml (id: bbb9495b-58fc-4016-b9df-9a3a1b67ca82)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)