T1201.md

T1201 - Password Policy Discovery

Description from ATT&CK

Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)

===Windows===

• net accounts
• net accounts /domain

===Linux===

• chage -l
• cat /etc/pam.d/common-password

===macOS===

• pwpolicy getaccountpolicies

Detection: Monitor processes for tools and command line arguments that may indicate they're being used for password policy discovery. Correlate that activity with other suspicious activity from the originating system to reduce potential false positives from valid user or administrator activity. Adversaries will likely attempt to find the password policy early in an operation and the activity is likely to happen with other Discovery activity.

Platforms: Linux, Windows, macOS

Data Sources: Process command-line parameters, Process Monitoring

Permissions Required: User

Contributors: Sudhanshu Chauhan, @Sudhanshu_C

Atomic Tests

• Atomic Test #1 - Examine password complexity policy - Ubuntu

• Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x

• Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x

• Atomic Test #4 - Examine password expiration policy - All Linux

Atomic Test #1 - Examine password complexity policy - Ubuntu

Lists the password complexity policy to console on Ubuntu Linux.

Supported Platforms: Ubuntu

Run it with bash!

cat /etc/pam.d/common-password

Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x

Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.

Supported Platforms: CentOS

Run it with bash!

cat /etc/security/pwquality.conf

Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x

Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.

Supported Platforms: CentOS

Run it with bash!

cat /etc/pam.d/system-auth

cat /etc/security/pwquality.conf

Atomic Test #4 - Examine password expiration policy - All Linux

Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.

Supported Platforms: Linux

Run it with bash!

cat /etc/login.defs