Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_ad_password_policy | Azure AD Password Policy | technique_scores | T1110.002 | Password Cracking |
Comments
The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.
In regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).
References
|
| conditional_access | Conditional Access | technique_scores | T1110.002 | Password Cracking |
Comments
Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted.
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1110.002 | Password Cracking |
Comments
This control's "Require MFA for administrative roles" and "Ensure all users can complete multi-factor authentication for secure access" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.
This control's "Do not expire passwords" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.
This control's "Enable policy to block legacy authentication" and "Stop legacy protocols communication" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.
This control's "Resolve unsecure account attributes" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.
Because these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial.
References
|
| azure_active_directory_password_protection | Azure Active Directory Password Protection | technique_scores | T1110.002 | Password Cracking | |
| passwordless_authentication | Passwordless Authentication | technique_scores | T1110.002 | Password Cracking |
Comments
This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.
References
|