1. Home
  2. Techniques
  3. Enterprise
  4. Brute Force
  5. Password Spraying

Brute Force: Password Spraying

ID Name
T1110.001 Password Guessing
T1110.002 Password Cracking
T1110.003 Password Spraying
T1110.004 Credential Stuffing

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [1]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]

In order to avoid detection thresholds, adversaries may deliberately throttle password spraying attempts to avoid triggering security alerting. Additionally, adversaries may leverage LDAP and Kerberos authentication attempts, which are less likely to trigger high-visibility events such as Windows "logon failure" event ID 4625 that is commonly triggered by failed SMB connection attempts.[3]

ID: T1110.003
Sub-technique of:  T1110
Tactic: Credential Access
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, Network Devices, Office Suite, SaaS, Windows, macOS
Contributors: John Strand; Microsoft Threat Intelligence Center (MSTIC)
Version: 1.8
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G1030 Agrius

Agrius engaged in password spraying via SMB in victim environments.[4]
G0007 APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[5][6] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.[7]
C0051 APT28 Nearest Neighbor Campaign

During APT28 Nearest Neighbor Campaign, APT28 performed password-spray attacks against public facing services to validate credentials.[8]
G0016 APT29

APT29 has conducted brute force password spray attacks.[9][10][11]
G0064 APT33

APT33 has used password spraying to gain access to target systems.[12][13]
S0606 Bad Rabbit

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[14]
G0114 Chimera

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.[15]
S0488 CrackMapExec

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[16]
G1003 Ember Bear

Ember Bear has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.[17]
G0125 HAFNIUM

HAFNIUM has gained initial access through password spray attacks.[18]
G1001 HEXANE

HEXANE has used password spraying attacks to obtain valid credentials.[19]
G0032 Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[20][21]
G0077 Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[22]
S0362 Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [23]
S0413 MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.[24]
C0055 Quad7 Activity

Quad7 Activity has conducted a throttled variant of password spraying techniques that only utilized a single attempt to sign in within a 24-hour time period, eluding brute force detection thresholds.[3]

G0122 Silent Librarian

Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.[25]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[26] Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.[27]
M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
M1027 Password Policies

Refer to NIST guidelines when creating password policies. [28]

Detection Strategy

ID Name Analytic ID Analytic Description
DET0487 Distributed Password Spraying via Authentication Failures Across Multiple Accounts AN1336

A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window
AN1337

Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window
AN1338

Multiple failed login attempts across different users using common password patterns (e.g., 'Welcome2023')
AN1339

Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities
AN1340

Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts
AN1341

Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password
AN1342

Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)
AN1343

SaaS applications receiving authentication failures for dozens of accounts using same password or login signature

References

  1. Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.
  2. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
  3. Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
  4. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  5. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  6. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  7. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  8. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  9. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021.
  10. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
  11. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  12. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  13. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  14. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  1. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  2. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  3. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  4. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  5. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  8. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  9. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  10. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  11. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
  12. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023.
  13. Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024.
  14. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.