ATTACK-T1201Active

Password Policy Discovery

Statement

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code> (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. <code>show aaa</code>, <code>show aaa common-criteria policy all</code>).(Citation: US-CERT-TA18-106A)

Password policies can be discovered in cloud environments using available APIs such as <code>GetAccountPasswordPolicy</code> in AWS (Citation: AWS GetPasswordPolicy).

Location

Tactic: Discovery

Technique Details

Identifier: ATTACK-T1201
ATT&CK Page: View on MITRE

Tactics

Discovery

Platforms

WindowsLinuxmacOSIaaSNetwork DevicesIdentity ProviderSaaSOffice Suite

Detection

Password Policy Discovery – cross-platform behavior-chain analytics

Mitigations

Password Policies: Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

Use Group Policy Management Console (GPMC) to configure:
- Minimum password length (e.g., 12+ characters).
- Password complexity requirements.
- Password history (e.g., disallow last 24 passwords).
- Account lockout duration and thresholds.

Linux Systems:

Configure Pluggable Authentication Modules (PAM):
Use pam_pwquality to enforce complexity and length requirements.
Implement pam_tally2 or pam_faillock for account lockouts.
Use pwunconv to disable password reuse.

Password Managers:

Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

Tools for Implementation

Windows:

Group Policy Management Console (GPMC): Enforce password policies.
Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
Lynis: Audit password policies and system configurations.

Cross-Platform:

Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
Have I Been Pwned API: Prevent the use of breached passwords.
NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

EquivalentPartialRelated

SP 800-53

SP800-53-CA-7relatedvia ctid-attack-to-sp800-53

SP800-53-CM-2relatedvia ctid-attack-to-sp800-53

SP800-53-CM-6relatedvia ctid-attack-to-sp800-53

SP800-53-SI-3relatedvia ctid-attack-to-sp800-53

SP800-53-SI-4relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Discovery

Windows Systems:

Use Group Policy Management Console (GPMC) to configure:
- Minimum password length (e.g., 12+ characters).
- Password complexity requirements.
- Password history (e.g., disallow last 24 passwords).
- Account lockout duration and thresholds.

Linux Systems:

Configure Pluggable Authentication Modules (PAM):
Use pam_pwquality to enforce complexity and length requirements.
Implement pam_tally2 or pam_faillock for account lockouts.
Use pwunconv to disable password reuse.

Password Managers:

Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

Tools for Implementation

Windows:

Group Policy Management Console (GPMC): Enforce password policies.
Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
Lynis: Audit password policies and system configurations.

Cross-Platform:

Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
Have I Been Pwned API: Prevent the use of breached passwords.
NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Password Policy Discovery

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings5

Password Policy Discovery

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings5