Detection of Password Weaknesses

high

Language:

Description

Multiple problems can arise with Active Directory account passwords (insufficient complexity, obsolete cryptography, blank, reused, leaked...), leading to a decrease in Active Directory security by allowing "brute-force", "password spraying" and "lateral movement" attacks.

Solution

Good administrative practices for domain user passwords involve using strong and unique passwords, avoiding unchanged default values that relate to domain-authenticated accounts, and securely storing passwords with robust algorithms.

See Also

The 773 Million Record "Collection #1" Data Breach

The Default Password Threat

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

Indicator Details

Name: Detection of Password Weaknesses

Codename: C-PASSWORD-HASHES-ANALYSIS

Severity: High

Type: Active Directory Indicator of Exposure

MITRE ATT&CK Information:

Tactic: TA0001 - Initial Access
- Techniques: T1078 - Valid Accounts
Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts
Tactic: TA0006 - Credential Access
- Techniques: T1110 - Brute Force

Attacker Known Tools

ropnop: Kerbrute - A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

OpenWall: John the Ripper - A fast password cracker

Jens Steube, Gabriele Gristina: hashcat - advanced password recovery tool