AN0292: Analytic 0292
Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files
Analyst context for executives and security teams
AN0292 is a Windows-focused detection analytic concept for spotting possible password hash cracking activity after credential dumping. Its business value is that it points to a critical escalation point in an intrusion: dumped credentials may become usable passwords, increasing risk to identity systems, privileged access, incident containment, and operational continuity.
Executive priority
Treat this as an identity-risk and incident-response readiness validation item. Leaders should ask whether the organization can see suspicious use of hash-cracking tools, abnormal CPU/GPU activity, unsigned binaries, and access to password hash files on Windows systems. The priority is not just detecting a tool name, but proving that credential-theft follow-on activity would generate evidence fast enough to support containment, password resets, privileged account review, and audit-ready incident decisions.
Technical view
For SOC, detection engineering, and IR teams, validate Windows telemetry that can correlate three elements described by MITRE: use of hash-cracking tools such as John the Ripper or Hashcat, high CPU usage or GPU invocation, and unsigned binaries accessing password hash files. Because ATT&CK provides no official detection logic and no relationship context for this analytic, teams should avoid relying only on static tool names. Build or test analytics around process execution, binary signing status, file access to credential/hash material, and resource-utilization anomalies, then tune against legitimate administrative, security testing, or research activity.
Likely telemetry
- Windows process creation and command-line telemetry
- Binary signing or file reputation metadata for executed programs
- File access events involving password hash files or credential-related artifacts
- CPU utilization and process resource-usage telemetry
- GPU invocation or GPU compute activity telemetry where available
Detection direction
- Confirm whether telemetry exists to connect unsigned binary execution with access to password hash files and unusual CPU or GPU activity on Windows endpoints.
- Tune for combinations of behaviors rather than only known tool names, because tool renaming or alternate binaries can reduce name-based detection value.
- Establish allowlists or context for approved password-audit, red-team, forensic, or research activity to reduce false positives.
- Prioritize investigation when this behavior appears after suspected credential dumping, even though no ATT&CK relationships were supplied for this object.
- Document gaps where GPU telemetry, binary signing metadata, or sensitive file-access auditing is unavailable.
Mitigation priorities
- Limit access to password hash files and credential material to the smallest set of required administrative functions.
- Harden privileged access workflows and ensure rapid credential reset procedures are available for incident response.
- Use application control or execution policy where appropriate to restrict unsigned or unapproved binaries on Windows systems.
- Improve endpoint logging coverage for process execution, file access, and resource utilization before relying on this analytic operationally.
- Maintain approved-use records for password auditing or security testing tools so SOC teams can distinguish authorized activity from suspicious behavior.
Analyst notes and limits
This object is a detection analytic, not a technique, and it has no supplied tactics or relationships. The official description supports a focused interpretation: hash-cracking tools after credential dumping, high CPU/GPU usage, unsigned binaries, and access to password hash files on Windows. Practical value depends on local logging depth and the ability to correlate endpoint behavior with identity and incident-response context.
Official detection content is not provided, and no ATT&CK relationships are supplied. The take therefore cannot assert a specific detection rule, active exploitation, actor usage, impact, or coverage beyond Windows. Local environment baselines are required to distinguish malicious activity from authorized password auditing, red-team testing, or administrative work.
Analytic 0292
Use of hash-cracking tools (e.g., John the Ripper, Hashcat) after credential dumping, combined with high CPU usage or GPU invocation via unsigned binaries accessing password hash files
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a40872a5a483… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0292Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.