Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1201: Password Policy Discovery

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies [1] [2]. Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).[3]

Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS [4].

EnterpriseT1201TechniqueObject v1.7 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Password Policy Discovery matters because it helps an intruder tune password guessing or brute-force activity to avoid obvious lockouts and wasted attempts. For leaders, this is a signal that identity controls, cloud account governance, and SOC visibility should not be assessed only by whether strong password rules exist, but also by whether attempts to inspect those rules are logged, reviewed, and understood across Windows, Linux, macOS, IaaS, network devices, identity providers, SaaS, and office suites.

Executive priority

Treat this as an identity and resilience validation point. Executives should ask whether password policy visibility is limited to appropriate administrators, whether policy reads are logged in key environments such as Active Directory, cloud IAM, SaaS, and network infrastructure, and whether the SOC can distinguish routine administration from suspicious discovery. This technique is associated in ATT&CK with espionage campaigns, named groups, and post-exploitation tools, so it is useful for control prioritization and audit evidence even though the supplied object does not indicate current activity against any specific organization.

Technical view

ATT&CK lists this as a Discovery technique across Windows, Linux, macOS, IaaS, network devices, identity provider, SaaS, and office suite platforms. The official description highlights policy discovery through command-line utilities and APIs, including Windows domain password policy queries, Unix-like password aging and PAM policy inspection, macOS password policy queries, network device AAA policy commands, and AWS IAM GetAccountPasswordPolicy. Because no official MITRE detection text is provided, defenders should validate detection around behavior chains rather than a single command: process execution or shell history, directory or domain policy reads, cloud API calls, network device CLI activity, and follow-on authentication failures consistent with policy-aware guessing. Relationship context notes DET0161, Password Policy Discovery – cross-platform behavior-chain analytics, as a detection strategy.

Likely telemetry

  • Endpoint process execution and command-line telemetry for administrative utilities used to view password or account policy settings
  • PowerShell and shell activity logs where available
  • Directory service or domain controller audit logs showing password policy reads or administrative queries
  • Linux and macOS audit, command history, or file access telemetry for password policy configuration inspection
  • Cloud control-plane/API logs for password policy retrieval, including AWS IAM GetAccountPasswordPolicy where applicable

Detection direction

  • Start by inventorying where password policies can be queried across the supported platforms and confirm those data sources are actually collected by the SOC.
  • Tune detections for unusual users, hosts, service accounts, or sessions querying password policy, especially when followed by authentication failures or other discovery behavior.
  • Account for legitimate administration, compliance assessment, and help desk activity to reduce false positives; baselining known administrative systems and change windows is important.
  • Correlate endpoint, cloud API, network device CLI, and identity-provider logs because the technique spans enterprise, cloud, SaaS, and network infrastructure surfaces.
  • Do not rely only on blocking or alerting for a few known commands; the ATT&CK object supports multiple operating systems, network devices, and cloud APIs, and the supplied detection field is empty.

Mitigation priorities

  • Implement and enforce secure password policies as described by ATT&CK mitigation M1027, including strong length, complexity, history, and reuse controls where appropriate.
  • Limit who can read or administer password and authentication policy settings, especially in cloud IAM, identity provider, SaaS, domain, and network device management planes.
  • Ensure password policy changes and policy reads are auditable and retained for investigation and compliance evidence.
  • Pair policy strength with monitoring for brute-force and dictionary attack behavior, because the technique is used to inform password-guessing decisions.
  • Review administrative access to network devices and cloud APIs, since ATT&CK explicitly includes network device CLI and AWS password policy API discovery examples.
Analyst notes and limits

This object is useful for purple-team and detection-engineering validation because it sits early in the adversary decision cycle: discovery of lockout thresholds, minimum length, and complexity can shape later brute-force or dictionary attempts. Relationship context includes use by Operation CuckooBees, Turla, OilRig, Chimera, and tools such as Net, Kwampirs, PoshC2, and CrackMapExec, which supports prioritizing this behavior in environments concerned with espionage tradecraft, Active Directory exposure, cloud IAM, and cyber-physical settings involving network devices or high-tech equipment.

MITRE provides no official detection guidance for this technique in the supplied fields, so detection recommendations are inferred from the described platforms, commands, APIs, and the related DET0161 strategy. Local logging configuration, role design, administrative baselines, and cloud/SaaS audit availability determine whether this behavior can be reliably detected. The supplied data does not support claims of active exploitation, specific customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Password Policy Discovery

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies [1] [2]. Adversaries may also leverage a Network Device CLI on network devices to discover password policy information (e.g. show aaa, show aaa common-criteria policy all).[3]

Password policies can be discovered in cloud environments using available APIs such as GetAccountPasswordPolicy in AWS [4].

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Group Enterprise

G0114: Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

Group Enterprise

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0488: CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]

Windows
Malware Enterprise

S0236: Kwampirs

Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines.[1] Kwampirs has multiple technical overlaps with Shamoon based on reverse engineering analysis.[2]

Windows
Tool Enterprise

S0378: PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

WindowsLinuxmacOS
Campaign Enterprise

C0012: Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]

Relationship explorer

All related ATT&CK context

uses · Tool S0039: Net Enterprise uses · Tool S0488: CrackMapExec Enterprise uses · Campaign C0012: Operation CuckooBees Enterprise uses · Group G0049: OilRig Enterprise detects · Detection Strategy DET0161: Password Policy Discovery – cross-platform behavior-chain analytics Enterprise uses · Group G0114: Chimera Enterprise uses · Malware S0236: Kwampirs Enterprise mitigates · Mitigation M1027: Password Policies Enterprise uses · Group G0010: Turla Enterprise uses · Tool S0378: PoshC2 Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1027: Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.

Linux Systems:

- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.

Password Managers:

- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

*Tools for Implementation*

Windows:

- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.

Cross-Platform:

- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.7
Created
Modified
Raw hash
3a73007a676902c5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.7 Current bundle 3a73007a6769…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Superuser Linux Password Policies

    Matutiae, M. (2014, August 6). How to display password policy information for a user (Ubuntu)?. Retrieved April 5, 2018.

    Open source URL
  2. [2]
    Jamf User Password Policies

    Holland, J. (2016, January 25). User password policies on non AD machines. Retrieved April 5, 2018.

    Open source URL
  3. [3]
    US-CERT-TA18-106A

    US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

    Open source URL
  4. [4]
    AWS GetPasswordPolicy

    Amazon Web Services. (n.d.). AWS API GetAccountPasswordPolicy. Retrieved June 8, 2021.

    Open source URL
  5. [5]
    mitre-attack T1201
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use