Password Policy Discovery T1201

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Events covered

7 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 17 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (16 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine8contains 7, regex_match 1accounts, --local-auth, -d , -h , accounts
process_name6eq 5, starts_with 2, ends_with 1cmd.exe, powershell, \lsass.exe, dsget.exe, dsquery.exe
EventID5eq 54104, 4799
OriginalFileName4eq 4net1.exe, net.exe, cmd.exe, powershell.exe, powershell_ise.exe
ScriptBlockText4contains 4get-addefaultdomainpasswordpolicy, get-aduserresultantpasswordpolicy, get-domainpolicy
Image3ends_with 3\net.exe, \net1.exe, \crackmapexec.exe
ObjectServer2eq 2Security Account Manager
AccessList1contains 1%%5392
ObjectName1starts_with 1DC=
ObjectType1eq 1SAM_DOMAIN
Properties1contains 1bf967977-0de6-11d0-a285-00aa003049e2, bf9679a4-0de6-11d0-a285-00aa003049e2, bf9679a5-0de6-11d0-a285-00aa003049e2
SubjectUserName1ends_with 1$
c_process_name1lt 110
dc_user_group1eq 14
event.type1eq 1start

Top indicator values (94 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4104
4268
process_nameeq
cmd.exe
475
process_nameeq
net1.exe
234
OriginalFileNameeq
net1.exe
343
OriginalFileNameeq
net.exe
227
CommandLinecontains
accounts
22
CommandLinecontains
--local-auth
1
CommandLinecontains
-d
18
CommandLinecontains
-h
1
CommandLinecontains
-h 'nthash'
1
CommandLinecontains
-m
1
CommandLinecontains
-m pe_inject
1
CommandLinecontains
-o
12
CommandLinecontains
-p
19
CommandLinecontains
-u
17
CommandLinecontains
-x
1
CommandLinecontains
10.
1
CommandLinecontains
192.168.
1
CommandLinecontains
accounts
1
CommandLinecontains
group
12
CommandLinecontains
localgroup
1
CommandLinecontains
mssql
12
CommandLinecontains
share
1
CommandLinecontains
smb
12
Imageends_with
\net.exe
250
Imageends_with
\net1.exe
248
ObjectServereq
Security Account Manager
26
ScriptBlockTextcontains
get-addefaultdomainpasswordpolicy
22
process_namestarts_with
powershell
24
AccessListcontains
%%5392
12

Exclusions (9 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinein
*/FORCELOGOFF*
1
CommandLinein
*/MAXPWAGE*
1
CommandLinein
*/MINPWAGE*
1
CommandLinein
*/MINPWLEN*
1
CommandLinein
*/UNIQUEPW*
1
SubjectUserNameends_with
$
1
parent_process_nameeq
LTSVC.exe
1
process.parent.argswildcard
C:\Program Files (x86)\Microsoft Intune Management...
1
user.ideq
S-1-5-18
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Elastic 1 rule

Splunk 9 rules

Kusto 1 rule