T1110.001: Password Guessing
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
- SNMP (161/UDP and 162/TCP/UDP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.. Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
wallarm: PT-CR-2480: Wallarm_BruteForce_Detected: An attempted brute-force attack was detected by Wallarm zabbix: PT-CR-2047: Zabbix_Logon_Same_User_From_Different_Terminals: A user logged in to Zabbix several times from different hosts. This could be an attacker's attempt to escalate privileges. enterprise_1c_and_bitrix: PT-CR-679: Enterprise_1C_User_Locked_Too_Many_Logons: A user was locked after multiple login failures freeipa: PT-CR-1960: FreeIPA_User_Locked_Too_Many_Logons: A user was locked after multiple failed attempts to log in pt_application_firewall: PT-CR-1911: PTAF_Bulk_Failed_Logins: PT AF detected multiple failed authentication attempts pt_application_firewall: PT-CR-2079: PTAF_BruteForce_Detected: PT AF blocked a bruteforce attack on a web application sap_java_suspicious_user_activity: PT-CR-537: SAPASJAVA_Failed_Logon_Of_Same_User_From_Different_Terminals: Multiple attempts to log in from different terminals are detected network_devices_abnormal_activity: PT-CR-627: Possible_SNMP_Bruteforce_Different_Hosts: Possible bruteforce of an SNMP community string network_devices_abnormal_activity: PT-CR-474: Possible_SNMP_Bruteforce_Single_Host: Possible bruteforce of an SNMP community string redis: PT-CR-1989: Redis_Bruteforce: Password bruteforcing on the Redis server it_bastion: PT-CR-2174: SKDPUNT_Login_Failure: An SKDPU NT authentication error incident is registered sap_attack_detection: PT-CR-149: SAPASABAP_Account_Bruteforce: Guessing of a user account password bruteforce: PT-CR-991: Artifactory_Password_Brute: Password bruteforcing for Artifactory accounts bruteforce: PT-CR-2367: Aria_Operations_Admin_Panel_Password_Bruteforce: Password bruteforcing in the Aria Operations administration interface bruteforce: PT-CR-2122: Subrule_SSHGuard: User is unable to login into the system bruteforce: PT-CR-2574: IIS_Web_Application_Password_Brute: Password bruteforcing for IIS web server web application accounts on a Windows host bruteforce: PT-CR-2326: Grafana_Password_Brute: Password bruteforcing for a Grafana account bruteforce: PT-CR-2510: Exchange_Password_Brute: Password bruteforcing for Exchange accounts bruteforce: PT-CR-2703: Elasticsearch_Password_Brute: Password bruteforcing for accounts to query the Elasticsearch database bruteforce: PT-CR-3145: Unix_FTP_Password_Brute: Password bruteforcing for FTP service accounts bruteforce: PT-CR-1714: Windows_Ticket_Brute: Multiple errors when trying to obtain a Kerberos TGT bruteforce: PT-CR-1024: Unix_SSH_Password_Brute: Password bruteforcing for accounts via SSH bruteforce: PT-CR-1002: MSSQL_Password_Brute: Password bruteforcing for Microsoft SQL Server accounts bruteforce: PT-CR-1338: OpenVPN_Password_Brute: Password bruteforcing for OpenVPN accounts bruteforce: PT-CR-1968: SSHGuard_Bruteforce: Password bruteforcing for an account bruteforce: PT-CR-3000: BAD_Password_Guessing: BAD module detected password guessing or password spraying bruteforce: PT-CR-995: TeamPass_Password_Brute: Password bruteforcing for TeamPass accounts bruteforce: PT-CR-1992: Multifactor_2FA_Password_Bruteforce: Password bruteforcing to confirm the second authentication factor bruteforce: PT-CR-886: Windows_Password_Brute: Password bruteforcing for Windows accounts bruteforce: PT-CR-993: Gitlab_Password_Brute: Password bruteforcing for GitLab accounts bruteforce: PT-CR-3132: Windows_SSH_FTP_Brute: Password bruteforcing for accounts using SSH or FTP services installed as Windows OS components bruteforce: PT-CR-1011: Bruteforce_Sensitive_Users: Password bruteforcing for sensitive accounts from the Sensitive_Users tabular list bruteforce: PT-CR-2710: Postfix_SASL_Brute: Password bruteforcing for Postfix accounts bruteforce: PT-CR-1710: Cisco_FW_Password_Brute: Password bruteforcing for accounts for a Cisco firewall capabilities_logon: PT-CR-1708: CAP_Password_Brute: Password bruteforcing for accounts in various applications active_directory_attacks: PT-CR-656: Failed_Access_With_Unknown_User: A user failed to log in to a host running Windows on behalf of one or multiple disabled or nonexistent accounts. This may indicate account bruteforcing or compromised credentials. active_directory_attacks: PT-CR-3081: MSA_Account_Obtain_Ticket: Kerberos TGT for a dMSA or gMSA was obtained in a suspicious manner (either by brute force or without reading the password). This may indicate a Golden dMSA or Golden gMSA attack, in which attackers generate passwords for managed service accounts offline using the ms-DS-ManagedPasswordId or ms-Kds-RootKeyData attributes.
Detection
| ID | DS0002 | Data source and component | User Account: User Account Authentication | Description | Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts. |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
|---|
Mitigation
| ID | M1027 | Name | Password Policies | Description | Refer to NIST guidelines when creating password policies. |
|---|
| ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
|---|
| ID | M1036 | Name | Account Use Policies | Description | Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. |
|---|
| ID | M1051 | Name | Update Software | Description | Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
|---|