T1110.001: Password Guessing
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
- SNMP (161/UDP and 162/TCP/UDP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.. Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
enterprise_1c_and_bitrix: PT-CR-679: Enterprise_1C_User_Locked_Too_Many_Logons: A user was locked after multiple login failures pt_application_firewall: PT-CR-1911: PTAF_Bulk_Failed_Logins: PT AF detected multiple failed authentication attempts pt_application_firewall: PT-CR-2079: PTAF_BruteForce_Detected: PT AF blocked a bruteforce attack on a web application it_bastion: PT-CR-2174: SKDPUNT_Login_Failure: An SKDPU NT authentication error incident is registered sap_attack_detection: PT-CR-149: SAPASABAP_Account_Bruteforce: Guessing of a user account password network_devices_abnormal_activity: PT-CR-627: Possible_SNMP_Bruteforce_Different_Hosts: Possible bruteforce of an SNMP community string network_devices_abnormal_activity: PT-CR-474: Possible_SNMP_Bruteforce_Single_Host: Possible bruteforce of an SNMP community string zabbix: PT-CR-2047: Zabbix_Logon_Same_User_From_Different_Terminals: A user logged in to Zabbix several times from different hosts. This could be an attacker's attempt to escalate privileges. freeipa: PT-CR-1960: FreeIPA_User_Locked_Too_Many_Logons: A user was locked after multiple failed attempts to log in sap_java_suspicious_user_activity: PT-CR-537: SAPASJAVA_Failed_Logon_Of_Same_User_From_Different_Terminals: Multiple attempts to log in from different terminals are detected bruteforce: PT-CR-2169: FreeIPA_Password_Brute: Password bruteforcing in the FreeIPA domain bruteforce: PT-CR-2390: Arista_EOS_Password_Brute: Password bruteforcing for accounts for an Arista network device bruteforce: PT-CR-2092: Apache_cassandra_password_brute: Password bruteforcing for Apache Cassandra accounts bruteforce: PT-CR-995: TeamPass_Password_Brute: Password bruteforcing for TeamPass accounts bruteforce: PT-CR-2581: Citrix_NS_ADC_Password_Brute: Password bruteforcing for Citrix NetScaler ADC accounts bruteforce: PT-CR-2574: IIS_Web_Application_Password_Brute: Password bruteforcing for IIS web server web application accounts on a Windows host bruteforce: PT-CR-993: Gitlab_Password_Brute: Password bruteforcing for GitLab accounts bruteforce: PT-CR-886: Windows_Password_Brute: Password bruteforcing for Windows accounts bruteforce: PT-CR-2363: AOFL_Password_Bruteforce: Password bruteforcing in Aria Operations for Logs bruteforce: PT-CR-2710: Postfix_SASL_Brute: Password bruteforcing for Postfix accounts bruteforce: PT-CR-1708: Password_Brute: Password bruteforcing for accounts in various applications bruteforce: PT-CR-1923: PTAF_Password_Brute: Password bruteforcing for PT AF accounts bruteforce: PT-CR-1024: Unix_SSH_Password_Brute: Password bruteforcing for accounts via SSH bruteforce: PT-CR-2122: Subrule_SSHGuard: User is unable to login into the system bruteforce: PT-CR-1714: Windows_Ticket_Brute: Multiple errors when trying to obtain a Kerberos TGT bruteforce: PT-CR-1968: SSHGuard_Bruteforce: Password bruteforcing for an account bruteforce: PT-CR-1992: Multifactor_2FA_Password_Bruteforce: Password bruteforcing to confirm the second authentication factor bruteforce: PT-CR-2071: DrWeb_Password_Brute: Password bruteforcing for accounts to log in to the Dr.Web management server bruteforce: PT-CR-1002: MSSQL_Password_Brute: Password bruteforcing for Microsoft SQL Server accounts bruteforce: PT-CR-2326: Grafana_Password_Brute: Password bruteforcing for a Grafana account bruteforce: PT-CR-2419: NGate_Password_Brute: Password bruteforcing for accounts in the CryptoPro NGate control panel bruteforce: PT-CR-991: Artifactory_Password_Brute: Password bruteforcing for Artifactory accounts bruteforce: PT-CR-2367: Aria_Operations_Admin_Panel_Password_Bruteforce: Password bruteforcing in the Aria Operations administration interface bruteforce: PT-CR-1710: Cisco_FW_Password_Brute: Password bruteforcing for accounts for a Cisco firewall bruteforce: PT-CR-2518: Infowatch_TM_Password_Brute: Password bruteforcing for InfoWatch TM accounts bruteforce: PT-CR-2319: Eltex_Password_Brute: Password bruteforcing for accounts for an Eltex network device bruteforce: PT-CR-2285: UEM_SafeMobile_Password_Brute: Password bruteforcing for UEM SafeMobile accounts bruteforce: PT-CR-1011: Bruteforce_Sensitive_Users: Password bruteforcing for sensitive accounts from the Sensitive_Users tabular list bruteforce: PT-CR-2240: Acronis_Password_Brute: Password bruteforcing for Acronis accounts bruteforce: PT-CR-2386: ADFS_Password_Brute: Password bruteforcing for domain accounts with access to web applications integrated with Active Directory Federation Service (AD FS) bruteforce: PT-CR-2016: SecretNet_Password_Brute: Password bruteforcing for accounts in different applications bruteforce: PT-CR-1943: MongoDB_Password_Brute: Password bruteforcing for MongoDB server accounts bruteforce: PT-CR-2510: Exchange_Password_Brute: Password bruteforcing for Exchange accounts bruteforce: PT-CR-1823: PostgreSQL_Password_Brute: Password bruteforcing for PostgreSQL accounts. If successful, data stored in the database may be compromised. bruteforce: PT-CR-1709: Cisco_IOS_Password_Brute: Password bruteforcing for accounts for a Cisco network device bruteforce: PT-CR-2366: Aria_Operations_Password_Bruteforce: Password bruteforcing in Aria Operations bruteforce: PT-CR-1850: Mikrotik_RouterOS_Password_Brute: Password bruteforcing for accounts for a MikroTik network device bruteforce: PT-CR-2057: Zabbix_Password_Brute: Password bruteforcing for Zabbix accounts bruteforce: PT-CR-2131: Hashicorp_Vault_Password_Brute: Password bruteforcing for a Vault account bruteforce: PT-CR-1338: OpenVPN_Password_Brute: Password bruteforcing for OpenVPN accounts bruteforce: PT-CR-2506: Exchange_IMAP_POP_Password_Brute: Password bruteforcing for Exchange accounts via IMAP or POP bruteforce: PT-CR-2463: ViPNet_IDS_Password_Brute: Password bruteforcing for accounts for a ViPNet IDS device active_directory_attacks: PT-CR-656: Failed_Network_Access_With_Unknown_User: A user failed to log in to a host running Windows on behalf of a disabled or non-existent account. This may indicate account bruteforcing or compromised credentials. redis: PT-CR-1989: Redis_Bruteforce: Password bruteforcing on the Redis server
Detection
| ID | DS0002 | Data source and component | User Account: User Account Authentication | Description | Monitor for many failed authentication attempts across various accounts that may result from password guessing attempts. |
|---|
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. |
|---|
Mitigation
| ID | M1051 | Name | Update Software | Description | Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. |
|---|
| ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
|---|
| ID | M1027 | Name | Password Policies | Description | Refer to NIST guidelines when creating password policies. |
|---|
| ID | M1036 | Name | Account Use Policies | Description | Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. |
|---|