HackTool - Hashcat Password Cracker Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects execution of the Hashcat password cracking tool targeting Windows SAM file hashes with typical command-line flags indicating brute-force password cracking attempts.
Severity
Trouble
Rule journey
Attack chain scenario
Credential Access (T1110.002) → Unauthorized Access → Lateral Movement
Impact
Recovery of user credentials through password cracking, enabling unauthorized access and lateral movement within the network.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller with domain admin credentials.
- Open the Group Policy Management Console by typing gpmc.msc in the Run dialog.
- Create a new GPO or edit an existing one linked to the appropriate OU.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking- Right-click on Audit Process Creation, select Properties, choose Configure the following audit events, check Success, and click OK.
- Right-click on Audit Process Termination, select Properties, choose Configure the following audit events, check Success, and click OK.
- For command line tracking:
Go to Computer Configuration → Administrative Templates → System → Audit Process Creation- Double-click Include command line in process creation events, select Enabled, and click OK.
- Open the Registry Editor and create a new registry key at:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals.
- Open Command Prompt as Administrator.
- Use a Sysmon configuration file that includes process creation monitoring.
- Install Sysmon with the configuration using the command:
sysmon.exe -i config.xml - Your configuration file should include a section to monitor process creation like this:
Sysmon → EventFiltering → ProcessCreate (onmatch="exclude")
(This will log all process creations.) - Open the Registry Editor and ensure the following key exists:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\hashcat.exe" OR (COMMANDLINE contains "-a " AND COMMANDLINE contains "-m 1000 " AND COMMANDLINE contains "-r ") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1110.002 – Brute Force: Password Cracking
Security Standards
Implementation of multi-factor authentication and strong, NIST-compliant password policies to mitigate risk of brute force attacks.
Author
frack113
Future actions
Known False Positives
Other tools using similar command-line parameters may trigger detections erroneously.
Next Steps
- Investigate detected executions of Hashcat for unauthorized activity.
- Enforce multi-factor authentication across user and admin accounts.
- Review and strengthen password policies per NIST guidelines.
- Enhance process auditing for ongoing monitoring of credential cracking tools.
- Educate users on credential safety and password hygiene.
Mitigation
Mitigation ID | Name | Description |
M1032 | Multi-factor Authentication | Use multi-factor authentication on all accounts and externally facing services to reduce credential theft risk. |
M1027 | Password Policies | Implement strong password policies following NIST guidelines to make password cracking more difficult. |
