T1110: Brute Force

Data from MITRE ATT&CK®:

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Password Policies

Set and enforce secure password policies for accounts.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Application Log Content (Application Log)

Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

User Account Authentication (User Account)

An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)

Cisco BGP Authentication Failures

cisco

User Access Blocked by Azure Conditional Access

azure

Account Lockout

azure

HackTool - Hydra Password Bruteforce Execution

windows process creation

Potential MFA Bypass Using Legacy Client Authentication

azure

MSSQL Server Failed Logon From External Network

windows

Juniper BGP Missing MD5

juniper

Hack Tool User Agent

proxy

Bitbucket User Login Failure

bitbucket

Password Spray Activity

azure

Bitbucket User Login Failure Via SSH

bitbucket

Failed Authentications From Countries You Do Not Operate Out Of

azure

External Remote RDP Logon from Public IP

windows

Successful Authentications From Countries You Do Not Operate Out Of

azure

HackTool - CrackMapExec Execution

windows process creation

MSSQL Server Failed Logon

windows

External Remote SMB Logon from Public IP

windows

Cisco LDP Authentication Failures

cisco

Multifactor Authentication Denied

azure

Use of Legacy Authentication Protocols

azure

Multifactor Authentication Interrupted

azure

Huawei BGP Authentication Failures

huawei

NTLM Brute Force

windows

Sign-in Failure Due to Conditional Access Requirements Not Met

azure