Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Brute Force
  5. Password Spraying

Brute Force: Password Spraying

ID Name
T1110.001 Password Guessing
T1110.002 Password Cracking
T1110.003 Password Spraying
T1110.004 Credential Stuffing

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. [1]

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

ID: T1110.003
Sub-technique of:  T1110
Tactic: Credential Access
Platforms: AWS, Azure, Azure AD, GCP, Linux, Office 365, SaaS, Windows, macOS
Permissions Required: User
Data Sources: Authentication logs, Office 365 account logs
CAPEC ID: CAPEC-565
Contributors: John Strand; Microsoft Threat Intelligence Center (MSTIC)
Version: 1.1
Created: 11 February 2020
Last Modified: 19 October 2020

Procedure Examples

Name Description
APT28

APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.[3]
APT33

APT33 has used password spraying to gain access to target systems.[4][5]
CrackMapExec

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[6]
Lazarus Group

Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.[7][8]
Leafminer

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.[9]
Linux Rabbit

Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. [10]
MailSniper

MailSniper can be used for password spraying against Exchange and Office 365.[11]

Mitigations

Mitigation Description
Account Use Policies

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.
Multi-factor Authentication

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Password Policies

Refer to NIST guidelines when creating password policies. [12]

Detection

Monitor authentication logs for system and application login failures of Valid Accounts. Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.

Consider the following event IDs:[13]

  • Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.
  • Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.
  • All systems: "Audit Logon" (Success & Failure) for event ID 4648.

References

  1. Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.
  2. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
  3. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.
  4. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  5. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  6. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  2. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  3. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.
  4. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019.
  5. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
  6. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.