T1110.002 Google Chronicle · YARA-L

Detect Password Cracking in Google Chronicle

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.002 Password Cracking
Canonical reference
https://attack.mitre.org/techniques/T1110/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1110_002_password_cracking_tools {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects execution of known password cracking tools or characteristic cracking arguments including NTLM hash modes, wordlist attacks, and offline cracking utilities mapped to MITRE ATT&CK T1110.002"
    severity = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110.002"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path, `(?i)(hashcat|john\.exe|hydra\.exe|thc-hydra|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)`) or
      re.regex($e.principal.process.command_line, `(?i)(--attack-mode|-a\s+[037]|--hash-type|-m\s+(1000|5600|13100)|--wordlist|rockyou\.txt|--rules|--show|--format=(NT|LM|nt|lm)|--pot-file|-hash-file|hashes\.txt|ntds\.dit|ntlm)`)
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting password cracking tool execution by matching against known binary names in process file paths and characteristic command-line arguments for Hashcat NTLM hash modes (-m 1000/5600/13100), wordlist references (rockyou.txt), attack mode flags, and other cracking utility indicators. Maps to MITRE ATT&CK T1110.002.

Data Sources

Google Chronicle UDM (Unified Data Model)Endpoint telemetry via Chronicle forwarderSysmon via Chronicle ingestion

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • Authorized red team operators executing password cracking tools as part of a scoped penetration test with documented change request
  • Digital forensics professionals running John the Ripper or Hashcat on evidence files in an isolated forensic lab environment
  • Security awareness or training programs where employees run cracking demonstrations on intentionally weak test credentials in a sandbox
Download portable Sigma rule (.yml)

Other platforms for T1110.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hashcat NTLM Hash Cracking Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.

  2. Test 2John the Ripper Password Hash Cracking

    Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.

  3. Test 3CrackMapExec with Credential Spraying Post-Crack

    Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.

  4. Test 4NTDS.dit Extraction via NTDSUtil IFM

    Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.003Password SprayingT1110.004Credential Stuffing

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1558.003KerberoastingT1550.002Pass the HashT1602Data from Configuration RepositoryT1021.002SMB/Windows Admin SharesT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections