Brute Force

Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.

Credential Dumping is used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. [1]

Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. [2]

A related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [3]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[4]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110
Tactic: Credential Access
Platform: Linux, macOS, Windows, Office 365, Azure AD, SaaS
Permissions Required: User
Data Sources: Office 365 account logs, Authentication logs
CAPEC ID: CAPEC-49
Contributors: Microsoft Threat Intelligence Center (MSTIC); John Strand; Ed Williams, Trustwave, SpiderLabs
Version: 2.0

Procedure Examples

Name Description
APT3

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[27]

APT33

APT33 has used password spraying to gain access to target systems.[28]

APT41

APT41 performed password brute-force attacks on the local admin account.[29]

Chaos

Chaos conducts brute force attacks against SSH services to gain initial access.[8]

China Chopper

China Chopper's server component can perform brute force password guessing against authentication portals.[18]

Dragonfly 2.0

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra.[22][23][24]

Emotet

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [12][13][14][15][16]

Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[25][26]

Leafminer

Leafminer used a tool called BruteForcer to perform a brute force attack.[20]

Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server.[11]

MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.[7]

Net Crawler

Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[2]

OilRig

OilRig has used brute force techniques to obtain credentials.[21]

PoshC2

PoshC2 has modules for brute forcing local administrator and AD user accounts.[6]

SpeakUp

SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels.[17]

Turla

Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.[19]

Xbash

Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[9][10]

Mitigations

Mitigation Description
Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.

Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Password Policies

Refer to NIST guidelines when creating password policies.[5]

Detection

It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.

For password spraying consider the following[30]:

  • Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.
  • Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.
  • All systems: "Audit Logon" (Success & Failure) for event ID 4648.

References

  1. Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.
  2. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  3. Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.
  4. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
  5. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  6. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  7. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  8. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  9. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  10. Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019.
  11. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  12. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  13. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  14. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  15. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
  1. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  2. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  3. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  4. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  5. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  6. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  7. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  8. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  9. Kali. (2014, February 18). THC-Hydra. Retrieved November 2, 2017.
  10. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  11. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  12. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  13. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  14. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  15. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.