Brute Force: Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [1]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110.003
Sub-technique of:  T1110
Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Contributors: John Strand; Microsoft Threat Intelligence Center (MSTIC)
Version: 1.4
Created: 11 February 2020
Last Modified: 16 October 2023

Procedure Examples

ID Name Description
G0007 APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[3][4] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.[5]

G0016 APT29

APT29 has conducted brute force password spray attacks.[6][7]

G0064 APT33

APT33 has used password spraying to gain access to target systems.[8][9]

S0606 Bad Rabbit

Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.[10]

G0114 Chimera

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.[11]

S0488 CrackMapExec

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[12]

G1001 HEXANE

HEXANE has used password spraying attacks to obtain valid credentials.[13]

G0032 Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[14][15]

G0077 Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[16]

S0362 Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [17]

S0413 MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.[18]

G0122 Silent Librarian

Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.[19]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[20]

M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 Password Policies

Refer to NIST guidelines when creating password policies. [21]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs:[22]Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648.[23]

DS0002 User Account User Account Authentication

Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.[23]

References