T1110.002 Elastic Security · Elastic

Detect Password Cracking in Elastic Security

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.002 Password Cracking
Canonical reference
https://attack.mitre.org/techniques/T1110/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  process.name in~ ("hashcat", "hashcat.bin", "hashcat.exe", "john", "john.exe", "hydra", "hydra.exe", "thc-hydra", "crackmapexec", "ophcrack", "ophcrack.exe", "l0phtcrack", "pwdump", "fgdump", "mimikatz.exe", "ntdsutil.exe", "secretsdump.py")
  or process.args : ("--attack-mode", "-a 0", "-a 3", "-a 6", "-a 7", "--hash-type", "-m 1000", "-m 5600", "-m 13100", "--wordlist", "rockyou.txt", "--rules", "--show", "--format=NT", "--format=LM", "ntlm", "--pot-file", "-hash-file", "hashes.txt", "ntds.dit")
)
high severity high confidence

Detects execution of known password cracking tools (Hashcat, John the Ripper, Hydra, Mimikatz, etc.) or command-line arguments associated with offline and online password cracking activity, including NTLM hash cracking modes, wordlist attacks, and credential dumping utilities.

Data Sources

Endpoint (Elastic Agent)Sysmon via FilebeatAuditd (Linux)

Required Tables

logs-endpoint.events.process-*logs-system.security-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Security researchers or penetration testers running authorized red team engagements on dedicated assessment workstations
  • IT administrators using CrackMapExec or Mimikatz as part of scheduled credential audit tooling in lab or staging environments
  • CTF (Capture the Flag) participants running Hashcat or John the Ripper on personal competition systems that feed into a SIEM
Download portable Sigma rule (.yml)

Other platforms for T1110.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hashcat NTLM Hash Cracking Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.

  2. Test 2John the Ripper Password Hash Cracking

    Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.

  3. Test 3CrackMapExec with Credential Spraying Post-Crack

    Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.

  4. Test 4NTDS.dit Extraction via NTDSUtil IFM

    Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.003Password SprayingT1110.004Credential Stuffing

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1558.003KerberoastingT1550.002Pass the HashT1602Data from Configuration RepositoryT1021.002SMB/Windows Admin SharesT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections