As an attacker, password policies are extremely important to enumerate for performing both credential-based attacks such as password spraying.
Enumerate Password Policy
# Get Password Policy with CrackMapExec (Unauthenticated)cmesmb $dc -u''-p''# Get Password Policy with CrackMapExeccrackmapexecsmb $dc -u $username -p $password --pass-pol# Get Password Policy with Net Accountsnetaccounts# Enumerate the default password policy settings from the Default Domain Policy GPOGet-ADDefaultDomainPasswordPolicy
Fine-Grained Password Policy
# Enumerate all FGPPs configuredGet-ADFineGrainedPasswordPolicy-Filter*# Obtain the FGPP assigned to a specific userGet-ADUserResultantPasswordPolicy-Identityparzival# Obtain FGPP via WMICwmic /namespace:\\ROOT\directory\LDAP PATH ds_msds_passwordsettings GET DS_DisplayName, ds_msds_PasswordSettingsPrecedence, ds_msds_LockoutObservationWindow, ds_msds_LockoutDuration, ds_msds_LockoutThreshold, ds_msds_PSOAppliesTo
