T1110.003: Password Spraying
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.
Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
- SSH (22/TCP)
- Telnet (23/TCP)
- FTP (21/TCP)
- NetBIOS / SMB / Samba (139/TCP & 445/TCP)
- LDAP (389/TCP)
- Kerberos (88/TCP)
- RDP / Terminal Services (3389/TCP)
- HTTP/HTTP Management Services (80/TCP & 443/TCP)
- MSSQL (1433/TCP)
- Oracle (1521/TCP)
- MySQL (3306/TCP)
- VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
sap_attack_detection: PT-CR-150: SAPASABAP_Bultin_Accounts_Probing: Attempts to log in with built-in accounts bruteforce: PT-CR-994: Gitlab_Password_Spraying: Password spraying in the GitLab version control system. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2168: FreeIPA_Password_Spraying: Password spraying in the FreeIPA domain. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2509: Exchange_Password_Spraying: Password spraying in Exchange. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2387: ADFS_Password_Spraying: Password spraying via AD FS. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2575: IIS_Web_Application_Password_Spraying: Password spraying in an IIS web server web application on a Windows host. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1849: Mikrotik_RouterOS_Password_Spraying: Password spraying for a MikroTik network device. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2364: Aria_Operations_Password_Spraying: Password spraying in Aria Operations. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-887: Windows_Password_Spraying: Password spraying on a Windows host. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1025: Unix_SSH_Password_Spraying: Password spraying via SSH. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2582: Citrix_NS_ADC_Password_Spraying: Password spraying in Citrix NetScaler ADC. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1707: Password_Spraying: Password spraying in different applications. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2507: Exchange_IMAP_POP_Password_Spraying: Password spraying in Exchange via IMAP or POP. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2365: AOFL_Password_Spraying: Password spraying in Aria Operations for Logs. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1365: IIS_Password_Spraying: Password spraying on the Internet Information Services web server. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1337: OpenVPN_Password_Spraying: Password spraying in OpenVPN. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2122: Subrule_SSHGuard: User is unable to login into the system bruteforce: PT-CR-2517: Infowatch_TM_Password_Spraying: Password spraying in InfoWatch TM. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2132: Hashicorp_Vault_Password_Spraying: Password spraying in Vault. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-906: LyncSmash_Use: Bruteforcing attempts for Skype accounts using LyncSmash bruteforce: PT-CR-1973: SSHGuard_Spraying: Password spraying. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2320: Eltex_Password_Spraying: Password spraying for an Eltex network device. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1944: MongoDB_Password_Spraying: Password spraying in MongoDB. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-992: Artifactory_Password_Spraying: Password spraying in the Artifactory data storage system. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2420: NGate_Password_Spraying: Password spraying in the CryptoPro NGate control panel. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2058: Zabbix_Password_Spraying: Password spraying in Zabbix. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2464: ViPNet_IDS_Password_Spraying: Password spraying for a ViPNet IDS device. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-2286: UEM_SafeMobile_Password_Spraying: Password spraying in the GitLab version control system. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. active_directory_attacks: PT-CR-656: Failed_Network_Access_With_Unknown_User: A user failed to log in to a host running Windows on behalf of a disabled or non-existent account. This may indicate account bruteforcing or compromised credentials.
Detection
| ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor authentication logs for system and application login failures of Valid Accounts. Consider the following event IDs: Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625. Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771. All systems: "Audit Logon" (Success & Failure) for event ID 4648. |
|---|
| ID | DS0002 | Data source and component | User Account: User Account Authentication | Description | Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. |
|---|
Mitigation
| ID | M1027 | Name | Password Policies | Description | Refer to NIST guidelines when creating password policies. |
|---|
| ID | M1036 | Name | Account Use Policies | Description | Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges. |
|---|
| ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
|---|