Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0161: Password Policy Discovery – cross-platform behavior-chain analytics

This detection strategy is intended to help identify discovery of enterprise or cloud password policy information, a behavior associated with ATT&CK T1201...

EnterpriseDET0161Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is intended to help identify discovery of enterprise or cloud password policy information, a behavior associated with ATT&CK T1201 Password Policy Discovery. For leaders, the significance is that password policy discovery can precede credential attacks by helping an adversary understand what password length, complexity, or guessing constraints they need to work around. Even though the ATT&CK detection strategy object does not provide official detection logic or platform details, its relationship to T1201 makes it relevant to identity risk, SOC readiness, and incident response triage around credential attack preparation.

Executive priority

Treat this as a coverage-validation item for identity and access management, managed detection, and incident response programs. Leaders should ask whether the organization can see password policy queries across Windows, Linux, macOS, and IaaS environments where those platforms are in scope, and whether such discovery would be correlated with later brute-force or dictionary-attack indicators. The decision value is not only alerting on a single query, but proving that identity telemetry, cloud audit data, and endpoint or command activity can support an investigation before credential abuse becomes a business continuity issue.

Technical view

The supplied ATT&CK object is a detection strategy named “Password Policy Discovery – cross-platform behavior-chain analytics,” but it has no official description, detection text, tactics, or platforms of its own. Use the relationship to T1201 as the technical anchor: validate visibility into attempts to access detailed password policy information in enterprise network or cloud environments. SOC and detection teams should map local data sources to environments where T1201 is applicable: Windows, Linux, macOS, and IaaS. Prioritize correlation over isolated matching where possible, such as password policy discovery followed by authentication failures, brute-force-like patterns, or other discovery activity, while accounting for legitimate administrative and audit activity.

Likely telemetry

  • Identity provider and directory service audit logs showing password policy reads or configuration queries
  • Endpoint command and process telemetry where available for administrative policy discovery activity
  • Cloud control-plane or IaaS audit logs related to identity, account, or password policy inspection
  • Authentication logs that can show follow-on brute-force or dictionary-style attempts
  • Administrative activity logs to distinguish authorized policy review from unusual discovery behavior

Detection direction

  • First confirm whether ATT&CK T1201-relevant environments exist locally: Windows, Linux, macOS, and IaaS are listed on the related technique, while the detection strategy itself does not specify platforms.
  • Build or review analytics that identify access to password policy information and correlate it with suspicious sequencing, such as additional discovery or abnormal authentication attempts.
  • Tune for expected administrators, compliance tools, and identity governance processes that may legitimately inspect password policy settings.
  • Avoid relying on one telemetry source; this behavior may be visible in identity, endpoint, and cloud audit data depending on architecture.
  • Use relationship-driven context: this strategy detects T1201, which is discovery behavior that may support later brute-force or dictionary attacks, so triage should look for credential-attack preparation rather than treating the query in isolation.

Mitigation priorities

  • Maintain clear ownership and logging for identity and password policy administration across enterprise and cloud environments.
  • Restrict access to detailed policy information where appropriate through least privilege and administrative role governance.
  • Ensure authentication monitoring is in place so policy discovery can be assessed alongside brute-force or dictionary-attack indicators.
  • Document approved administrative and audit workflows that inspect password policies to support SOC tuning and compliance evidence.
  • Use incident response playbooks that connect password policy discovery with credential attack investigation steps, without assuming compromise from the discovery event alone.
Analyst notes and limits

This Glexia take is based on the detection strategy metadata and its ATT&CK relationship to T1201 Password Policy Discovery. The object itself lacks official description, official detection guidance, tactics, and platform fields, so the practical guidance is derived conservatively from the related technique’s description, tactics, and platforms.

No official detection logic, data sources, analytic examples, or platform list are provided on the detection strategy object. Local validation is required to determine which logs exist, which administrative behaviors are normal, and whether any correlation logic is effective in the environment.

Official MITRE ATT&CK definition

Password Policy Discovery – cross-platform behavior-chain analytics

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1201 Password Policy Discovery This object detects Password Policy Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1201: Password Policy Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1af54022f6e6e6b1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1af54022f6e6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0161
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use