密码策略发现

密码策略发现是攻击者通过系统命令、API接口或日志分析等手段，获取目标组织密码复杂度要求、锁定阈值等安全策略的侦察行为。传统检测方法主要监控敏感命令执行（如net accounts /domain）、异常API调用频次以及非常规工具使用，通过关联账户权限和访问模式识别恶意活动。防御措施包括实施最小权限原则、强化API调用审计、建立用户行为基线等。

为规避传统检测机制，攻击者发展出融合云原生特性、分布式架构和合法工具滥用的新型隐蔽探测技术。通过将高风险的集中式查询操作解构为多维度、低强度的碎片化行为，并深度融入正常业务流量与运维活动，构建出具有"表面合规、实质恶意"特征的密码策略发现体系。

当前密码策略发现匿迹技术的演进呈现三大特征：首先，攻击载体向云环境与合规工具迁移，利用标准化接口和可信进程降低行为异常性；其次，操作模式趋向分布式与异步化，通过多源节点协同实施碎片化信息采集；最后，技术实现强调上下文环境适配，根据目标系统类型动态调整探测策略。例如API伪装查询技术利用云平台的海量API流量作为掩护，策略参数碎片化采集通过大数据关联分析替代直接查询，合规工具寄生则完全依托信任链实现攻击隐身。技术的共性在于突破传统基于单点行为检测的防御范式，通过合法化、常态化的操作模式重构攻击链特征。

匿迹技术的发展导致传统基于命令监控、频率统计的检测方法面临失效风险，防御方需构建多维行为画像能力，强化云API请求的上下文语义分析，并实施严格的第三方工具完整性校验。同时应建立密码策略元数据的动态保护机制，防范通过间接推理获取敏感参数的新型攻击路径。

ID: T1201

Sub-techniques: No sub-techniques

ⓘ

Tactic: 环境测绘

ⓘ

Platforms: IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS

Contributors: Austin Clark, @c2defense; Isif Ibrahima, Mandiant; Regina Elwell; Sudhanshu Chauhan, @Sudhanshu_C

Version: 1.6

Created: 18 April 2018

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过模拟合法API调用模式、复用合规审计工具的工作机制，使密码策略发现行为在协议特征、进程行为等维度与正常运维活动完全同构。例如将恶意查询请求封装成标准云API调用格式，或利用Nessus扫描器的策略检查模块作为载体，实现攻击流量的"白名单化"隐匿。

数据遮蔽

在API伪装查询与合规工具寄生技术中，攻击者利用HTTPS加密通道传输策略查询请求与响应数据，使网络层检测设备无法直接解析敏感参数。同时采用内存驻留技术处理获取的策略信息，避免在磁盘或日志中留下明文记录，显著增加事后取证难度。

时空释痕

通过多源低频探测技术将集中式查询任务分解为长周期、跨地域的离散操作，单个节点的查询频次和强度均低于检测阈值。结合动态节点调度算法和随机化时间间隔，使得攻击特征被稀释在正常业务操作的时间流中，传统基于短周期行为分析的检测模型难以有效识别。

Procedure Examples

ID	Name	Description
S0521	BloodHound	BloodHound can collect password policy information on the target environment.^[1]
G0114	Chimera	Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.^[2]
S0488	CrackMapExec	CrackMapExec can discover the password policies applied to the target system.^[3]
S0236	Kwampirs	Kwampirs collects password policy information with the command `net accounts`.^[4]
S0039	Net	The `net accounts` and `net accounts /domain` commands with Net can be used to obtain password policy information.^[5]
G0049	OilRig	OilRig has used net.exe in a script with `net accounts /domain` to find the password policy of a domain.^[6]
C0012	Operation CuckooBees	During Operation CuckooBees, the threat actors used the `net accounts` command as part of their advanced reconnaissance.^[7]
S0378	PoshC2	PoshC2 can use `Get-PassPol` to enumerate the domain password policy.^[8]
G0010	Turla	Turla has used `net accounts` and `net accounts /domain` to acquire password policy information.^[9]

Mitigations

ID	Mitigation	Description
M1027	Password Policies	Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (`C:\Windows\System32\` by default) of a domain controller and/or local computer with a corresponding entry in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages`. ^[10]

Detection

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor executed commands and arguments for actions that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
DS0009	Process	Process Creation	Monitor for newly executed processes that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.
DS0002	User Account	User Account Metadata	Monitor for contextual data about an account that may attempt to access detailed information about the password policy used within an enterprise network or cloud environment.