Skip to content

Hide Navigation Hide TOC

Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485)

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

  • Use Group Policy Management Console (GPMC) to configure:
    • Minimum password length (e.g., 12+ characters).
    • Password complexity requirements.
    • Password history (e.g., disallow last 24 passwords).
    • Account lockout duration and thresholds.

Linux Systems:

  • Configure Pluggable Authentication Modules (PAM):
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.

Password Managers:

  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

Tools for Implementation

Windows:

  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.

Cross-Platform:

  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
Cluster A Galaxy A Cluster B Galaxy B Level
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 1
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 2
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 2