Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Взлом пароля
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Взлом пароля
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Brute Force:  Взлом пароля

ID Название
.001 Угадывание пароля
.002 Взлом пароля
.003 Распыление пароля
.004 Подстановка украденных учетных данных

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

ID: T1110.002
Относится к технике:  T1110
Тактика(-и): Credential Access
Платформы: Azure AD, Linux, macOS, Network, Office 365, Windows
Источники данных: Application Log: Application Log Content, User Account: User Account Authentication
Версия: 1.2
Дата создания: 11 Feb 2020
Последнее изменение: 19 Apr 2022

Примеры процедур
Название Описание
APT3

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: APT3 Adversary Emulation Plan)
Net Crawler

Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.(Citation: Cylance Cleaver)
Dragonfly

Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: Kali Hydra)
APT41

APT41 performed password brute-force attacks on the local admin account.(Citation: FireEye APT41 Aug 2019)
Dragonfly 2.0

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Kali Hydra)
FIN6

FIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)

During Night Dragon, threat actors used Cain & Abel to crack password hashes.(Citation: McAfee Night Dragon)

Контрмеры
Контрмера Описание
Password Policies

Set and enforce secure password policies for accounts.
Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Обнаружение

It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.

Ссылки

  1. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
  2. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.
  5. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  6. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  7. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  8. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  9. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  10. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  11. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.