title: Password Cracking (T1110.002)
id: df00tech-t1110-002
status: experimental
description: "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, which may then be cracked offline on adversary-controlled systems. Techniques include dictionary attacks, brute force, and rainbow table lookups. Tools like Hashcat, John the Ripper, and Hydra are commonly used. Groups such as APT3, FIN6, Dragonfly, and Salt Typhoon have all leveraged password cracking in their operations."
references:
  - https://attack.mitre.org/techniques/T1110/002/
  - https://df00tech.com/detections/T1110.002
author: df00tech
date: 2026/04/17
tags:
  - attack.t1110.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security researchers and penetration testers legitimately running Hashcat or John the Ripper on authorized systems
  - IT administrators using CrackMapExec for authorized network auditing or password policy testing
  - Red team exercises where password cracking tools are deployed on authorized test systems
  - Cybersecurity training labs where students practice with password cracking tools in controlled environments
  - Password policy compliance tools that check password strength by attempting dictionary attacks
level: high