T1110.002 Password Cracking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PasswordCrackingTools = dynamic([
  "hashcat", "john", "john.exe", "johntheripper",
  "hydra", "hydra.exe", "thc-hydra",
  "crackmapexec", "cme", "cme.exe",
  "ophcrack", "ophcrack.exe",
  "l0phtcrack", "lc5", "lc6",
  "pwdump", "fgdump",
  "mimikatz", "mimitatz", "mimikaz",
  "ntdsutil", "secretsdump",
  "hashcracker", "winhex"
]);
let CrackingArgPatterns = dynamic([
  "--attack-mode", "-a 0", "-a 3", "-a 6", "-a 7",
  "--hash-type", "-m 1000", "-m 5600", "-m 13100",
  "--wordlist", "-w rockyou", "--rules",
  "--show", "--format=NT", "--format=LM",
  "rockyou.txt", "passwords.txt", "wordlist",
  "-hash-file", "ntlm", "--pot-file"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName has_any (PasswordCrackingTools))
   or (ProcessCommandLine has_any (CrackingArgPatterns))
   or (ProcessCommandLine has_any ("hashcat", "john ", "-m 1000", "-m 5600", "rockyou", "ntlm", "--attack-mode", "--hash-type"))
| extend IsKnownCrackingTool = FileName has_any (PasswordCrackingTools)
| extend HasCrackingArgs = ProcessCommandLine has_any (CrackingArgPatterns)
| extend NTLMCracking = ProcessCommandLine has_any ("-m 1000", "-m 5600", "-m 13100", "--format=NT", "--format=LM")
| extend WordlistUsed = ProcessCommandLine has_any ("rockyou", "wordlist", "--wordlist", "-w ")
| extend HasHashFile = ProcessCommandLine has_any ("hashes.txt", "hash.txt", "ntds.dit", ".hash", "dumped")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath,
          IsKnownCrackingTool, HasCrackingArgs, NTLMCracking, WordlistUsed, HasHashFile
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Security researchers and penetration testers legitimately running Hashcat or John the Ripper on authorized systems
IT administrators using CrackMapExec for authorized network auditing or password policy testing
Red team exercises where password cracking tools are deployed on authorized test systems
Cybersecurity training labs where students practice with password cracking tools in controlled environments
Password policy compliance tools that check password strength by attempting dictionary attacks

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval IsKnownCrackingTool=if(match(ImageLower, "(hashcat|john\.exe|hydra|crackmapexec|ophcrack|l0phtcrack|pwdump|fgdump|mimikatz)"), 1, 0)
| eval NTLMHashType=if(match(CommandLineLower, "(-m\s*1000|-m\s*5600|-m\s*13100|--format=nt|--format=lm|--hash-type\s*nt)"), 1, 0)
| eval WordlistAttack=if(match(CommandLineLower, "(rockyou|wordlist\.txt|--wordlist|-w\s+\S+\.txt|passwords\.txt)"), 1, 0)
| eval AttackMode=if(match(CommandLineLower, "(--attack-mode|-a\s+[0-9]|brute.force|dictionary)"), 1, 0)
| eval CrackingArgs=if(match(CommandLineLower, "(--show|--pot-file|--rules|-hash-file|\.hash|hashes\.txt|hash\.txt|ntds\.dit)"), 1, 0)
| eval HydraArgs=if(match(CommandLineLower, "(hydra.*-l|-P\s+\S+\.txt|-C\s+\S+\.txt|hydra.*-t\s+[0-9]+)"), 1, 0)
| eval SuspicionScore=IsKnownCrackingTool + NTLMHashType + WordlistAttack + AttackMode + CrackingArgs + HydraArgs
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsKnownCrackingTool, NTLMHashType, WordlistAttack, AttackMode, CrackingArgs, HydraArgs, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Security researchers and penetration testers legitimately running Hashcat or John the Ripper on authorized systems
IT administrators using CrackMapExec for authorized network auditing or password policy testing
Red team exercises where password cracking tools are deployed on authorized test systems
Cybersecurity training labs where students practice with password cracking tools in controlled environments
Password policy compliance tools that check password strength by attempting dictionary attacks

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("hashcat", "hashcat.bin", "hashcat.exe", "john", "john.exe", "hydra", "hydra.exe", "thc-hydra", "crackmapexec", "ophcrack", "ophcrack.exe", "l0phtcrack", "pwdump", "fgdump", "mimikatz.exe", "ntdsutil.exe", "secretsdump.py")
  or process.args : ("--attack-mode", "-a 0", "-a 3", "-a 6", "-a 7", "--hash-type", "-m 1000", "-m 5600", "-m 13100", "--wordlist", "rockyou.txt", "--rules", "--show", "--format=NT", "--format=LM", "ntlm", "--pot-file", "-hash-file", "hashes.txt", "ntds.dit")
)

high severity high confidence

Data Sources

Endpoint (Elastic Agent) Sysmon via Filebeat Auditd (Linux)

Required Tables

logs-endpoint.events.process-* logs-system.security-* logs-windows.sysmon_operational-*

False Positives

Security researchers or penetration testers running authorized red team engagements on dedicated assessment workstations
IT administrators using CrackMapExec or Mimikatz as part of scheduled credential audit tooling in lab or staging environments
CTF (Capture the Flag) participants running Hashcat or John the Ripper on personal competition systems that feed into a SIEM

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 52, 94, 143)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(hashcat|john\.exe|hydra\.exe|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)'
    OR LOWER("Command") MATCHES '(--attack-mode|-a\s+[0-9]|--hash-type|-m\s+1000|-m\s+5600|-m\s+13100|--wordlist|rockyou|--format=nt|--format=lm|--pot-file|-hash-file|ntds\.dit|hashes\.txt|ntlm)'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log (4688) Sysmon (Event ID 1) CrowdStrike Falcon DSM Carbon Black DSM Endpoint DSM

Required Tables

events

False Positives

Authorized vulnerability assessment tools such as CrackMapExec deployed by internal red team or IT security in sanctioned test environments
Forensic workstations running password recovery tools on legally obtained evidence under chain-of-custody procedures
Development or QA systems running integration tests that invoke credential utilities as part of automated test suites

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*" as image_path nodrop
| toLower(image_path) as image_lower
| toLower(cmd) as cmd_lower
| where
    image_lower matches "*(hashcat|john.exe|hydra|hydra.exe|crackmapexec|ophcrack|l0phtcrack|pwdump|fgdump|mimikatz|ntdsutil|secretsdump)*"
    or cmd_lower matches "*(--attack-mode|-a 0|-a 3|-a 6|-a 7|--hash-type|-m 1000|-m 5600|-m 13100|--wordlist|rockyou|--rules|--show|--format=nt|--format=lm|ntlm|--pot-file|-hash-file|hashes.txt|ntds.dit)*"
| eval IsKnownCrackingTool = if(image_lower matches "*(hashcat|john.exe|hydra|crackmapexec|ophcrack|mimikatz|ntdsutil|pwdump|fgdump)*", 1, 0)
| eval NTLMCracking = if(cmd_lower matches "*(-m 1000|-m 5600|-m 13100|--format=nt|--format=lm)*", 1, 0)
| eval WordlistAttack = if(cmd_lower matches "*(rockyou|wordlist|--wordlist|-w )*", 1, 0)
| eval AttackModeSet = if(cmd_lower matches "*(--attack-mode|-a 0|-a 3|-a 6|-a 7)*", 1, 0)
| eval SuspicionScore = IsKnownCrackingTool + NTLMCracking + WordlistAttack + AttackModeSet
| where SuspicionScore > 0
| fields _messagetime, host, User, image_path, cmd, IsKnownCrackingTool, NTLMCracking, WordlistAttack, AttackModeSet, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc

high severity high confidence

Data Sources

Sysmon via Sumo Logic Windows Agent Windows Security Event Log CrowdStrike Falcon via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Network administrators using Hydra for legitimate credential validation testing against internal services in pre-authorized scope
Security tooling pipelines that invoke Mimikatz or NTDSUtil as part of scheduled Active Directory health and credential hygiene audits
Research or sandbox environments where analysts deliberately execute cracking tools against known-safe hash sets for training or tooling evaluation

Google Chronicle / SecOps

yaral

rule t1110_002_password_cracking_tools {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known password cracking tools or characteristic cracking arguments including NTLM hash modes, wordlist attacks, and offline cracking utilities mapped to MITRE ATT&CK T1110.002"
    severity = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110.002"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(hashcat|john\.exe|hydra\.exe|thc-hydra|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)`) or
      re.regex($e.principal.process.command_line, `(?i)(--attack-mode|-a\s+[037]|--hash-type|-m\s+(1000|5600|13100)|--wordlist|rockyou\.txt|--rules|--show|--format=(NT|LM|nt|lm)|--pot-file|-hash-file|hashes\.txt|ntds\.dit|ntlm)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Endpoint telemetry via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Authorized red team operators executing password cracking tools as part of a scoped penetration test with documented change request
Digital forensics professionals running John the Ripper or Hashcat on evidence files in an isolated forensic lab environment
Security awareness or training programs where employees run cracking demonstrations on intentionally weak test credentials in a sandbox

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(hashcat|john\.exe|hydra\.exe|thc-hydra|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)/ OR
  CommandLine = /(?i)(--attack-mode|-a\s+[037]|--hash-type|-m\s+(1000|5600|13100)|--wordlist|rockyou\.txt|--format=(nt|lm)|--pot-file|-hash-file|hashes\.txt|ntds\.dit|ntlm)/
| IsKnownCrackingTool := if(ImageFileName = /(?i)(hashcat|john\.exe|hydra|crackmapexec|ophcrack|mimikatz|ntdsutil|pwdump|fgdump)/, "true", "false")
| NTLMCracking := if(CommandLine = /(?i)(-m\s*(1000|5600|13100)|--format=(nt|lm))/, "true", "false")
| WordlistUsed := if(CommandLine = /(?i)(rockyou|wordlist|--wordlist|-w\s+\S+\.txt)/, "true", "false")
| AttackModeSet := if(CommandLine = /(?i)(--attack-mode|-a\s+[037])/, "true", "false")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKnownCrackingTool, NTLMCracking, WordlistUsed, AttackModeSet])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2) Falcon sensor endpoint telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike-excluded penetration testing VMs where red team tooling is explicitly allowlisted and process telemetry is still forwarded to LogScale
IT security teams running CrackMapExec or Impacket secretsdump against their own domain controllers under a formal security assessment scope
Threat intelligence analysts executing cracking tools in an isolated malware analysis environment whose sensor data feeds into production LogScale

Password Cracking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections