Technique on mitre.org

T1110.004: Credential Stuffing

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

bruteforce: PT-CR-887: Windows_Password_Spraying: Password spraying on a Windows host. Password spraying is a type of brute-force attack in which an attacker tries the most popular passwords sequentially for each user, which helps avoid blocking the accounts of the attacked users. bruteforce: PT-CR-1714: Windows_Ticket_Brute: Multiple errors when trying to obtain a Kerberos TGT

Detection

ID	DS0002	Data source and component	User Account: User Account Authentication	Description	Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

ID	Data source and component	Description
DS0002	User Account: User Account Authentication	Monitor for many failed authentication attempts across various accounts that may result from credential stuffing attempts.
DS0015	Application Log: Application Log Content	Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.

Mitigation

ID	M1018	Name	User Account Management	Description	Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.

ID	M1027	Name	Password Policies	Description	Refer to NIST guidelines when creating password policies.

ID	M1032	Name	Multi-factor Authentication	Description	Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

ID	M1036	Name	Account Use Policies	Description	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.

ID	Name	Description
M1018	User Account Management	Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
M1027	Password Policies	Refer to NIST guidelines when creating password policies.
M1032	Multi-factor Authentication	Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
M1036	Account Use Policies	Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.