T1201 Password Policy Discovery Mappings

Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code>.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CA-7 Continuous Monitoring Protects T1201 Password Policy Discovery
CM-2 Baseline Configuration Protects T1201 Password Policy Discovery
CM-6 Configuration Settings Protects T1201 Password Policy Discovery
SI-3 Malicious Code Protection Protects T1201 Password Policy Discovery
SI-4 System Monitoring Protects T1201 Password Policy Discovery
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1201 Password Policy Discovery