detection.wiki

Brute Force: Password Cracking T1110.002

Tactic: Credential Access

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.

Events covered

2 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 3 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Category1eq 1SQLSecurityAuditEvents
CommandLine1contains 1-a , -m 1000 , -r
EventType1in 1ProcessRollup2, exec, exec_event
Image1ends_with 1\hashcat.exe
IsErrorAnomalyOnStatement1eq 1true
WindowType1eq 1, in 1detection, training
action_id_s1contains 1bcm, rcm
event.type1eq 1start
host.os.type1eq 1
process_name1in 1binwalk, cewl, commix

Top indicator values (61 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
Categoryeq
SQLSecurityAuditEvents
112
CommandLinecontains
-a
13
CommandLinecontains
-m 1000
1
CommandLinecontains
-r
1
EventTypein
ProcessRollup2
1117
EventTypein
exec
1171
EventTypein
exec_event
1139
EventTypein
executed
188
EventTypein
process_started
174
EventTypein
start
1134
Imageends_with
\hashcat.exe
12
IsErrorAnomalyOnStatementeq
true
13
WindowTypeeq
detection
110
WindowTypeeq
training
110
WindowTypein
detection
110
WindowTypein
training
110
action_id_scontains
bcm
110
action_id_scontains
rcm
110
event.typeeq
start
1606
process_namein
binwalk
1
process_namein
cewl
1
process_namein
commix
1
process_namein
crackmapexec
12
process_namein
dirb
1
process_namein
dirbuster
1
process_namein
droopescan
1
process_namein
evil-winrm
1
process_namein
eyewitness
1
process_namein
fcrackzip
1
process_namein
ffuf
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 1 rule

Elastic 1 rule

Kusto 1 rule