{"description": "Enterprise techniques mitigated by Password Policies, ATT&CK mitigation M1027 (v1.1)", "name": "Password Policies (M1027)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1110", "comment": "Refer to NIST guidelines when creating password policies.(Citation: NIST 800-63-3)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.002", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.003", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110.004", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.\n\nOrganizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.001", "comment": "The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "Refer to NIST guidelines when creating password policies for master passwords.(Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1187", "comment": "Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1556", "comment": "Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1556.005", "comment": "Ensure that AllowReversiblePasswordEncryption property is set to disabled unless there are application requirements.(Citation: store_pwd_rev_enc)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601.001", "comment": "Refer to NIST guidelines when creating password policies.  (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1601.002", "comment": "Refer to NIST guidelines when creating password policies.  (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1599", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1599.001", "comment": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.005", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.007", "comment": "Ensure that root accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.008", "comment": "Ensure that root accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1201", "comment": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages. (Citation: Microsoft Install Password Filter n.d)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1563", "comment": "Set and enforce secure password policies for accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1563.001", "comment": "Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "comment": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "comment": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.(Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1558.002", "comment": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.(Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.(Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558.004", "comment": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "Establish an organizational policy that prohibits password storage in files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "Do not store credentials within the Registry.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "Use strong passphrases for private keys to make cracking difficult.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "comment": "Set and enforce secure password policies for accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1550.003", "comment": "Ensure that local administrator accounts have complex, unique passwords.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured.\n\nPolicies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.001", "comment": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "Implement and enforce strong password policies for domain accounts to ensure passwords are complex, unique, and regularly rotated. This reduces the likelihood of password guessing, credential stuffing, and other attack methods that rely on weak or static credentials.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "Ensure that local administrator accounts have complex, unique passwords across all systems on the network.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.(Citation: AWS - IAM Console Best Practices)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Password Policies", "color": "#66b1ff"}]}