Full Report
Carrie Roberts // A tool to generate password usage statics in a Windows domain based on hashes dumped from a domain controller. The Domain Password Audit Tool (DPAT) is a […] The post Domain Password Audit Tool appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Domain Password Audit Tool (DPAT)
## Overview
The Domain Password Audit Tool (DPAT) is a Python script designed to generate password usage statistics within a Windows domain environment. It analyzes password hashes (often obtained via dumping a domain controller) in combination with a list of cracked passwords (e.g., output from tools like oclHashcat) to help understand password strength and identify security issues related to password usage.
## Technical Details
- Type: Tool
- Platform: Windows (used to analyze data from Windows Domain Controllers)
- Capabilities: Generates interactive HTML reports detailing password usage statistics; includes an option for a sanitized report version.
- First Seen: December 1, 2016 (based on article date)
## MITRE ATT&CK Mapping
This tool facilitates reconnaissance and credential access phases post-exploitation, specifically targeting weak password hygiene.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Indirectly, as it uses hashes dumped from a DC)
- T1110 - Brute Force (Indirectly, as it analyzes the results of password cracking efforts)
- **TA0001 - Initial Access** (If used in conjunction with credential theft)
- **TA0007 - Discovery**
- T1087 - Account Discovery (By processing user account data derived from hashes)
## Functionality
### Core Capabilities
- Analyzes password hashes dumped from a Domain Controller.
- Correlates hashes with a list of cracked passwords.
- Generates comprehensive, interactive HTML reports on password usage statistics.
### Advanced Features
- Option to generate a sanitized version of the generated report, presumably for reduced exposure of sensitive data during reporting.
## Indicators of Compromise
- File Hashes: N/A (Tool/Script)
- File Names: N/A (It is a script, execution artifacts depend on the environment/cracker used)
- Registry Keys: N/A
- Network Indicators: N/A (This is an offline analysis tool)
- Behavioral Indicators: Execution is dependent on the analyst/attacker running the script, followed by the execution of a password cracking tool like oclHashcat.
## Associated Threat Actors
The context provided does not explicitly name threat actors using this tool. It is presented as a resource for Red Team validation and Blue Team auditing purposes (published by Black Hills Information Security).
## Detection Methods
Since this is an analysis tool primarily used post-exploitation or during audit phases, detection focuses on the execution chain:
- **Signature-based detection:** Signatures can be developed for the specific Python script file name or associated output files if patterns are known.
- **Behavioral detection:** Detection of Python scripts executing tasks involving large lists of credentials or hashes, or the execution of tools like `oclHashcat` post-credential dumping.
- **YARA rules:** N/A
## Mitigation Strategies
- **Prevention measures:** Implement strong password policies, enforce multi-factor authentication (MFA), and ensure strict access controls to Domain Controllers to prevent hash dumping.
- **Hardening recommendations:** Utilize tools to audit password strength regularly, regardless of whether DPAT is used. Promptly enforce changes for any known weak or compromised credentials identified during audits.
## Related Tools/Techniques
- **oclHashcat:** Mentioned as a potential source for the cracked password list, which DPAT processes.
- **Mimikatz/LSASS Dumping Utilities:** Necessary predecessors to obtain the initial hash data DPAT analyzes.