T1110.002 IBM QRadar · QRadar

Detect Password Cracking in IBM QRadar

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.002 Password Cracking
Canonical reference
https://attack.mitre.org/techniques/T1110/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command"
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 52, 94, 143)
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(hashcat|john\.exe|hydra\.exe|crackmapexec|ophcrack\.exe|l0phtcrack|pwdump|fgdump|mimikatz\.exe|ntdsutil\.exe|secretsdump)'
    OR LOWER("Command") MATCHES '(--attack-mode|-a\s+[0-9]|--hash-type|-m\s+1000|-m\s+5600|-m\s+13100|--wordlist|rockyou|--format=nt|--format=lm|--pot-file|-hash-file|ntds\.dit|hashes\.txt|ntlm)'
  )
ORDER BY devicetime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL query detecting password cracking tool execution and characteristic arguments via Windows Security (EventID 4688), Sysmon process create events, and endpoint log sources. Matches known cracking binaries and Hashcat/John/Hydra argument patterns including NTLM hash modes and wordlist references.

Data Sources

Windows Security Event Log (4688)Sysmon (Event ID 1)CrowdStrike Falcon DSMCarbon Black DSMEndpoint DSM

Required Tables

events

False Positives & Tuning

  • Authorized vulnerability assessment tools such as CrackMapExec deployed by internal red team or IT security in sanctioned test environments
  • Forensic workstations running password recovery tools on legally obtained evidence under chain-of-custody procedures
  • Development or QA systems running integration tests that invoke credential utilities as part of automated test suites
Download portable Sigma rule (.yml)

Other platforms for T1110.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hashcat NTLM Hash Cracking Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.

  2. Test 2John the Ripper Password Hash Cracking

    Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.

  3. Test 3CrackMapExec with Credential Spraying Post-Crack

    Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.

  4. Test 4NTDS.dit Extraction via NTDSUtil IFM

    Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.003Password SprayingT1110.004Credential Stuffing

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1558.003KerberoastingT1550.002Pass the HashT1602Data from Configuration RepositoryT1021.002SMB/Windows Admin SharesT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections