T1110.002 CrowdStrike LogScale · LogScale

Detect Password Cracking in CrowdStrike LogScale

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.002 Password Cracking
Canonical reference
https://attack.mitre.org/techniques/T1110/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(hashcat|john\.exe|hydra\.exe|thc-hydra|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)/ OR
  CommandLine = /(?i)(--attack-mode|-a\s+[037]|--hash-type|-m\s+(1000|5600|13100)|--wordlist|rockyou\.txt|--format=(nt|lm)|--pot-file|-hash-file|hashes\.txt|ntds\.dit|ntlm)/
| IsKnownCrackingTool := if(ImageFileName = /(?i)(hashcat|john\.exe|hydra|crackmapexec|ophcrack|mimikatz|ntdsutil|pwdump|fgdump)/, "true", "false")
| NTLMCracking := if(CommandLine = /(?i)(-m\s*(1000|5600|13100)|--format=(nt|lm))/, "true", "false")
| WordlistUsed := if(CommandLine = /(?i)(rockyou|wordlist|--wordlist|-w\s+\S+\.txt)/, "true", "false")
| AttackModeSet := if(CommandLine = /(?i)(--attack-mode|-a\s+[037])/, "true", "false")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsKnownCrackingTool, NTLMCracking, WordlistUsed, AttackModeSet])
| sort(timestamp, order=desc)
high severity high confidence

CrowdStrike LogScale (Falcon) detection using ProcessRollup2 events to identify password cracking tool execution and characteristic arguments. Enriches matches with boolean indicators for known tool binary names, NTLM hash cracking modes, wordlist attack patterns, and Hashcat attack mode flags. Covers Hashcat, John the Ripper, Hydra, Mimikatz, and related utilities.

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2)Falcon sensor endpoint telemetry

Required Tables

ProcessRollup2

False Positives & Tuning

  • CrowdStrike-excluded penetration testing VMs where red team tooling is explicitly allowlisted and process telemetry is still forwarded to LogScale
  • IT security teams running CrackMapExec or Impacket secretsdump against their own domain controllers under a formal security assessment scope
  • Threat intelligence analysts executing cracking tools in an isolated malware analysis environment whose sensor data feeds into production LogScale
Download portable Sigma rule (.yml)

Other platforms for T1110.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hashcat NTLM Hash Cracking Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.

  2. Test 2John the Ripper Password Hash Cracking

    Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.

  3. Test 3CrackMapExec with Credential Spraying Post-Crack

    Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.

  4. Test 4NTDS.dit Extraction via NTDSUtil IFM

    Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.003Password SprayingT1110.004Credential Stuffing

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1558.003KerberoastingT1550.002Pass the HashT1602Data from Configuration RepositoryT1021.002SMB/Windows Admin SharesT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections