Brute Force: Credential Stuffing

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[1]

ID: T1110.004
Sub-technique of:  T1110
Platforms: Containers, IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS
Contributors: Anastasios Pingios; Diogo Fernandes
Version: 1.6
Created: 11 February 2020
Last Modified: 14 October 2024

Procedure Examples

ID Name Description
G0114 Chimera

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.[2]

S0266 TrickBot

TrickBot uses brute-force attack against RDP with rdpscanDll module.[3][4]

Mitigations

ID Mitigation Description
M1036 Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.[5] Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.[6]

M1032 Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

M1027 Password Policies

Refer to NIST guidelines when creating password policies. [7]

M1018 User Account Management

Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.[8]

DS0002 User Account User Account Authentication

Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.[8]

Analytic 1 - Multiple failed logon attempts across different accounts, especially using commonly used passwords.

(index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user") | where match(Password, "(?i)(Password123|Password1|123456|12345678|qwerty|abc123|letmein|welcome|monkey|admin|login|pass|guest|root)")

References