1. Home
  2. Techniques
  3. Enterprise
  4. Brute Force
  5. Password Guessing

Brute Force: Password Guessing

ID Name
T1110.001 Password Guessing
T1110.002 Password Cracking
T1110.003 Password Spraying
T1110.004 Credential Stuffing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. [1]

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)
  • SNMP (161/UDP and 162/TCP/UDP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]. Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.[3]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110.001
Sub-technique of:  T1110
Tactic: Credential Access
Platforms: Containers, IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS
Contributors: Microsoft Threat Intelligence Center (MSTIC); Mohamed Kmal
Version: 1.6
Created: 11 February 2020
Last Modified: 14 October 2024
Version Permalink

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[4] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.[5]
G0016 APT29

APT29 has successfully conducted password guessing attacks against a list of mailboxes.[6]
S0020 China Chopper

China Chopper's server component can perform brute force password guessing against authentication portals.[7]
S0488 CrackMapExec

CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[8]
S0367 Emotet

Emotet has been observed using a hard coded list of passwords to brute force user accounts. [9][10][11][12][13][14]
S0698 HermeticWizard

HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.[15]
S0532 Lucifer

Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.[16]
S0598 P.A.S. Webshell

P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[17]
S0453 Pony

Pony has used a small dictionary of common passwords against a collected list of local accounts.[18]

S0374 SpeakUp

SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. [19]
S0341 Xbash

Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[20][21]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[22] Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.[23]
M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
M1027 Password Policies

Refer to NIST guidelines when creating password policies. [24]
M1051 Update Software

Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[25]
DS0002 User Account User Account Authentication

Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts.[25]

Analytic 1 - Multiple failed logon attempts across different accounts.

(index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user")

References

  1. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  2. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
  3. Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.
  4. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  5. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  6. Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.
  7. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  8. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  9. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.
  10. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  11. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
  12. Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019.
  13. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019.
  1. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  2. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  3. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  4. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  5. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  6. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  7. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  8. Trend Micro. (2018, September 19). New Multi-Platform Xbash Packs Obfuscation, Ransomware, Coinminer, Worm and Botnet. Retrieved June 4, 2019.
  9. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.
  10. Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024.
  11. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  12. Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023.