T1110.002: Password Cracking
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.[1]
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[2] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
Analyst context for executives and security teams
Password cracking matters because once an adversary obtains password hashes or other credential material, the attack may move off-network and become hard to observe directly. The business risk is not the cracking activity itself as much as the later use of recovered plaintext passwords to access identity providers, Windows/Linux/macOS systems, office services, network devices, or other resources where that account is trusted.
Executive priority
Treat this as an identity resilience and credential hygiene issue, not only a SOC alerting problem. Leaders should ask whether privileged, service, network device, and high-value business accounts are protected by strong password policy and MFA, and whether the organization can prove it detects the precursor behaviors: credential dumping, suspicious access to stored hashes, and unusual access to configuration repositories. The ATT&CK relationships show this technique associated with multiple groups, campaigns, and software, including activity touching energy, critical infrastructure, telecommunications, retail, and payment environments; use that context to prioritize credential controls where business continuity impact would be highest.
Technical view
This is a credential-access sub-technique under Brute Force. Because MITRE notes cracking is usually performed on adversary-controlled systems outside the target network, defenders should focus on evidence before and after cracking: acquisition of hashes, access to credential stores or configuration repositories, use of hash analysis/cracking-related tools, and subsequent successful logons using the recovered plaintext password. Validate coverage across the listed platforms: Identity Provider, Windows, Linux, macOS, Office Suite, and Network Devices. The related detection strategy DET0105 specifically points toward suspicious file access and hash analysis tools after credential dumping.
Likely telemetry
- Endpoint process, file, and command telemetry around credential stores, dumped hash files, and suspicious archive or staging behavior
- Security logs for OS credential dumping precursors on Windows, Linux, and macOS systems
- Identity provider authentication logs, especially successful logons following suspicious credential access activity
- Office suite sign-in and access logs for account use after potential credential recovery
- Network device administrative logs and configuration repository access records, especially where hashed credentials may be stored
Detection direction
- Do not rely on observing cracking directly; MITRE states cracking is usually performed outside the target network.
- Tune detections around the credential material lifecycle: dumping, copying, staging, compressing, exfiltrating, or analyzing hashes.
- Correlate suspicious hash access with later successful authentications, new device locations, unusual service access, or privileged activity.
- Validate DET0105-style logic for suspicious file access and hash analysis tools, but account for legitimate administrator, forensics, and password audit activity as false-positive sources.
- Include network devices and configuration repositories in detection design; ATT&CK specifically notes hashed credentials may be obtained from configuration repositories for network devices.
Mitigation priorities
- Prioritize MFA for critical systems, identity providers, privileged users, remote access paths, and high-impact business services, consistent with M1032.
- Enforce password policies that reduce crackability and reuse risk, consistent with M1027: adequate length, complexity where appropriate, password history, and prevention of reuse.
- Apply stronger controls first to privileged, service, administrative, and network device accounts because recovered plaintext credentials can expand access quickly.
- Reduce exposure of stored credential material by reviewing who can access credential stores, configuration repositories, and network device backups.
- Maintain compliance evidence showing password policy enforcement, MFA coverage, and monitoring of credential-access precursors.
Analyst notes and limits
MITRE provides no official detection text for this object, so the defensive view is derived from the official description, listed platforms, tactic, and the DET0105 detection relationship. The sub-technique is linked to Brute Force and to several groups, campaigns, and software in ATT&CK, but those relationships should be used for threat-informed prioritization rather than assumptions of current targeting.
Local validation is required to determine whether password hashes are stored, backed up, or logged in ways that create exposure; whether MFA covers the accounts that matter; and whether SOC telemetry can connect credential dumping or configuration access to later authentication. This take does not assert active exploitation or guaranteed detection coverage.
Password Cracking
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.[1]
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.[2] The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1110 | Brute Force | This object subtechnique of Brute Force. |
Groups, software, and campaigns
G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G1045: Salt Typhoon
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).[1][2]
G0037: FIN6
S0056: Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
C0063: 2025 Poland Wiper Attacks
2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 5621a2a0da2a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT-TA18-106A
US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Open source URL -
[2]
Wikipedia Password cracking
Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.
Open source URL -
[3]
mitre-attack T1110.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.