T1110.001: Password Guessing

Data from MITRE ATT&CK®:

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

• SSH (22/TCP)
• Telnet (23/TCP)
• FTP (21/TCP)
• NetBIOS / SMB / Samba (139/TCP & 445/TCP)
• LDAP (389/TCP)
• Kerberos (88/TCP)
• RDP / Terminal Services (3389/TCP)
• HTTP/HTTP Management Services (80/TCP & 443/TCP)
• MSSQL (1433/TCP)
• Oracle (1521/TCP)
• MySQL (3306/TCP)
• VNC (5900/TCP)
• SNMP (161/UDP and 162/TCP/UDP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Password Policies

Set and enforce secure password policies for accounts.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Update Software

Perform regular software updates to mitigate exploitation risk.

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

User Account Authentication (User Account)

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Password Brute User using Kerbrute Tool

windows

SUDO Brute Force - Debian

linux

ESXi - Brute Force Until Account Lockout

windows

SUDO Brute Force - FreeBSD

linux

SUDO Brute Force - Redhat

linux

Brute Force Credentials of single Azure AD user

azure-ad

Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)

windows

Brute Force Credentials of single Active Directory domain users via SMB

windows

Suspicious Rejected SMB Guest Logon From IP

windows

HackTool - Hydra Password Bruteforce Execution

windows process creation

Suspicious Connection to Remote Account

windows ps script