Brute Force: Password Cracking

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[1] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

ID: T1110.002
Sub-technique of:  T1110
Tactic: Credential Access
Platforms: Azure AD, Linux, Office 365, Windows, macOS
Permissions Required: User
Data Sources: Authentication logs, Office 365 account logs
Version: 1.1
Created: 11 February 2020
Last Modified: 16 September 2020

Procedure Examples

Name Description

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[2]


APT41 performed password brute-force attacks on the local admin account.[3]

Dragonfly 2.0

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.[4][5][6]


FIN6 has extracted password hashes from ntds.dit to crack offline.[7]

Net Crawler

Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[8]


Mitigation Description
Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Password Policies

Refer to NIST guidelines when creating password policies. [9]


It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as OS Credential Dumping or Kerberoasting.