Detect Password Cracking in Splunk
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1110 Brute Force
- Sub-technique
- T1110.002 Password Cracking
- Canonical reference
- https://attack.mitre.org/techniques/T1110/002/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval IsKnownCrackingTool=if(match(ImageLower, "(hashcat|john\.exe|hydra|crackmapexec|ophcrack|l0phtcrack|pwdump|fgdump|mimikatz)"), 1, 0)
| eval NTLMHashType=if(match(CommandLineLower, "(-m\s*1000|-m\s*5600|-m\s*13100|--format=nt|--format=lm|--hash-type\s*nt)"), 1, 0)
| eval WordlistAttack=if(match(CommandLineLower, "(rockyou|wordlist\.txt|--wordlist|-w\s+\S+\.txt|passwords\.txt)"), 1, 0)
| eval AttackMode=if(match(CommandLineLower, "(--attack-mode|-a\s+[0-9]|brute.force|dictionary)"), 1, 0)
| eval CrackingArgs=if(match(CommandLineLower, "(--show|--pot-file|--rules|-hash-file|\.hash|hashes\.txt|hash\.txt|ntds\.dit)"), 1, 0)
| eval HydraArgs=if(match(CommandLineLower, "(hydra.*-l|-P\s+\S+\.txt|-C\s+\S+\.txt|hydra.*-t\s+[0-9]+)"), 1, 0)
| eval SuspicionScore=IsKnownCrackingTool + NTLMHashType + WordlistAttack + AttackMode + CrackingArgs + HydraArgs
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
IsKnownCrackingTool, NTLMHashType, WordlistAttack, AttackMode, CrackingArgs, HydraArgs, SuspicionScore
| sort - SuspicionScore, - _timeDetects password cracking tool execution using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688 logs. Evaluates process image names and command lines against known password cracking tools (Hashcat, John the Ripper, Hydra, CrackMapExec, Ophcrack) and associated argument patterns (NTLM hash types, wordlist attacks, attack modes, hash files). Assigns a cumulative suspicion score across six indicator categories to help prioritize high-confidence detections.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Security researchers and penetration testers legitimately running Hashcat or John the Ripper on authorized systems
- IT administrators using CrackMapExec for authorized network auditing or password policy testing
- Red team exercises where password cracking tools are deployed on authorized test systems
- Cybersecurity training labs where students practice with password cracking tools in controlled environments
- Password policy compliance tools that check password strength by attempting dictionary attacks
Other platforms for T1110.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Hashcat NTLM Hash Cracking Simulation
Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.
- Test 2John the Ripper Password Hash Cracking
Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.
- Test 3CrackMapExec with Credential Spraying Post-Crack
Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.
- Test 4NTDS.dit Extraction via NTDSUtil IFM
Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.
References (10)
- https://attack.mitre.org/techniques/T1110/002/
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://en.wikipedia.org/wiki/Password_cracking
- https://hashcat.net/wiki/doku.php?id=hashcat
- https://www.openwall.com/john/
- https://github.com/byt3bl33d3r/CrackMapExec
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md
- https://www.fireeye.com/blog/threat-research/2016/04/fin6-cybercrime-gang.html
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa18-074a
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.