T1110.002 Sumo Logic CSE · Sumo

Detect Password Cracking in Sumo Logic CSE

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.002 Password Cracking
Canonical reference
https://attack.mitre.org/techniques/T1110/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*" as image_path nodrop
| toLower(image_path) as image_lower
| toLower(cmd) as cmd_lower
| where
    image_lower matches "*(hashcat|john.exe|hydra|hydra.exe|crackmapexec|ophcrack|l0phtcrack|pwdump|fgdump|mimikatz|ntdsutil|secretsdump)*"
    or cmd_lower matches "*(--attack-mode|-a 0|-a 3|-a 6|-a 7|--hash-type|-m 1000|-m 5600|-m 13100|--wordlist|rockyou|--rules|--show|--format=nt|--format=lm|ntlm|--pot-file|-hash-file|hashes.txt|ntds.dit)*"
| eval IsKnownCrackingTool = if(image_lower matches "*(hashcat|john.exe|hydra|crackmapexec|ophcrack|mimikatz|ntdsutil|pwdump|fgdump)*", 1, 0)
| eval NTLMCracking = if(cmd_lower matches "*(-m 1000|-m 5600|-m 13100|--format=nt|--format=lm)*", 1, 0)
| eval WordlistAttack = if(cmd_lower matches "*(rockyou|wordlist|--wordlist|-w )*", 1, 0)
| eval AttackModeSet = if(cmd_lower matches "*(--attack-mode|-a 0|-a 3|-a 6|-a 7)*", 1, 0)
| eval SuspicionScore = IsKnownCrackingTool + NTLMCracking + WordlistAttack + AttackModeSet
| where SuspicionScore > 0
| fields _messagetime, host, User, image_path, cmd, IsKnownCrackingTool, NTLMCracking, WordlistAttack, AttackModeSet, SuspicionScore
| sort by SuspicionScore desc, _messagetime desc
high severity high confidence

Sumo Logic detection for password cracking tool execution using Sysmon Event ID 1 and Windows Security 4688 process creation events. Scores each event across four dimensions: known cracking binary, NTLM hash mode flags, wordlist usage, and attack mode arguments. Returns events with any positive signal, sorted by suspicion score.

Data Sources

Sysmon via Sumo Logic Windows AgentWindows Security Event LogCrowdStrike Falcon via Sumo Logic

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

  • Network administrators using Hydra for legitimate credential validation testing against internal services in pre-authorized scope
  • Security tooling pipelines that invoke Mimikatz or NTDSUtil as part of scheduled Active Directory health and credential hygiene audits
  • Research or sandbox environments where analysts deliberately execute cracking tools against known-safe hash sets for training or tooling evaluation
Download portable Sigma rule (.yml)

Other platforms for T1110.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Hashcat NTLM Hash Cracking Simulation

    Expected signal: Sysmon Event ID 1: Process Create with Image=hashcat.exe, CommandLine containing '-m 1000', '-a 0', 'test_hashes.txt', and '--potfile-path'. Sysmon Event ID 11: File creation events for test_hashes.txt, test_wordlist.txt, and test.potfile. Security Event ID 4688 (if command line auditing enabled) with same details.

  2. Test 2John the Ripper Password Hash Cracking

    Expected signal: Linux auditd execve syscall events showing john binary execution with --wordlist, --format=sha512crypt arguments and /tmp/test_shadow.txt file path. Syslog entries from auditd showing process creation. ~/.john/john.pot created on successful crack.

  3. Test 3CrackMapExec with Credential Spraying Post-Crack

    Expected signal: Sysmon Event ID 1: Process Create with Image=crackmapexec.exe or cme.exe, CommandLine containing 'smb', '-u testuser', '-p'. Sysmon Event ID 3: Network Connection to 127.0.0.1:445. Security Event ID 4625 (failed logon) or 4624 (successful logon) for the test authentication attempt against localhost.

  4. Test 4NTDS.dit Extraction via NTDSUtil IFM

    Expected signal: Sysmon Event ID 1: Process Create with Image=ntdsutil.exe, CommandLine containing 'ac i ntds', 'ifm', 'create full'. Sysmon Event ID 11: Multiple file creation events under the output directory including ntds.dit and SYSTEM hive. Security Event ID 4688 for ntdsutil.exe with command line. Security Event ID 4663 for ntds.dit file access on the domain controller.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1110.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.003Password SprayingT1110.004Credential Stuffing

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1003OS Credential DumpingT1003.001LSASS MemoryT1003.002Security Account ManagerT1003.003NTDST1558.003KerberoastingT1550.002Pass the HashT1602Data from Configuration RepositoryT1021.002SMB/Windows Admin SharesT1078Valid Accounts

Same Tactic: Credential Access

Popular Detections