Brute Force: Password Guessing

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. [1]

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110.001
Sub-technique of:  T1110
Tactic: Credential Access
Platforms: AWS, Azure, Azure AD, GCP, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: User
Data Sources: Authentication logs, Office 365 account logs
Contributors: Microsoft Threat Intelligence Center (MSTIC)
Version: 1.1
Created: 11 February 2020
Last Modified: 19 October 2020

Procedure Examples

Name Description

APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[3]

China Chopper

China Chopper's server component can perform brute force password guessing against authentication portals.[4]


CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[5]


Emotet has been observed using a hard coded list of passwords to brute force user accounts. [6][7][8][9][10]


Pony has used a small dictionary of common passwords against a collected list of local accounts.[11]


SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. [12]


Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[13][14]


Mitigation Description
Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.

Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Password Policies

Refer to NIST guidelines when creating password policies. [15]


Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.