title: Password Policy Discovery (T1201)
id: df00tech-t1201
status: experimental
description: "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies enforce complexity requirements that make passwords harder to guess or crack through brute force. By discovering lockout thresholds, minimum length, and complexity rules, adversaries can tailor dictionary and brute force attacks to comply with the policy — maximizing credential testing while avoiding account lockout. Discovery occurs via command-line utilities (net accounts, Get-ADDefaultDomainPasswordPolicy, chage, pwpolicy), cloud APIs (AWS GetAccountPasswordPolicy), and network device CLIs. This technique is commonly observed in the early reconnaissance phase of intrusions by groups including OilRig, Turla, and Chimera."
references:
  - https://attack.mitre.org/techniques/T1201/
  - https://df00tech.com/detections/T1201
author: df00tech
date: 2026/04/19
tags:
  - attack.t1201
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators running 'net accounts /domain' for routine password policy audits or compliance checks"
  - "Security tools and vulnerability scanners (Nessus, Qualys, CIS-CAT) that enumerate password policy as part of baseline hardening assessments"
  - "Active Directory management scripts and monitoring agents (e.g., Azure AD Connect health, SIEM onboarding scripts) that periodically query domain password policy"
  - Help desk staff using net accounts to verify lockout policy before resetting a locked account
  - "Automated identity governance platforms (SailPoint, Saviynt) querying fine-grained password policies during access reviews"
level: low