Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
SSH (22/TCP) Telnet (23/TCP) FTP (21/TCP) NetBIOS / SMB / Samba (139/TCP & 445/TCP) LDAP (389/TCP) Kerberos (88/TCP) RDP / Terminal Services (3389/TCP) HTTP/HTTP Management Services (80/TCP & 443/TCP) MSSQL (1433/TCP) Oracle (1521/TCP) MySQL (3306/TCP) VNC (5900/TCP) * SNMP (161/UDP and 162/TCP/UDP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as wlanAPI) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Hashcat Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Update SoftwareM1051
Upgrade management services to the latest supported and compatible version. Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords.
Multi-factor AuthenticationM1032
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Password PoliciesM1027
Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)
Account Use PoliciesM1036
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Cit
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has conducted password guessing to gain initial access.(Citation: Domain Tools Handala Hack Ka... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typica... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has successfully conducted password guessing attacks against a list of mailboxes.(Citation: Mandiant AP... |
Associated Software (9)
| ID | Name | Type | Context |
|---|---|---|---|
| S0020 | China Chopper | Malware | [China Chopper](https://attack.mitre.org/software/S0020)'s server component can perform brute force password guessing against authentication portals.(... |
| S0367 | Emotet | Malware | [Emotet](https://attack.mitre.org/software/S0367) has been observed using a hard coded list of passwords to brute force user accounts. (Citation: Malw... |
| S0374 | SpeakUp | Malware | [SpeakUp](https://attack.mitre.org/software/S0374) can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log ... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can brute force passwords for a specified user on a single target system or across an entire n... |
| S0698 | HermeticWizard | Malware | [HermeticWizard](https://attack.mitre.org/software/S0698) can use a list of hardcoded credentials in attempt to authenticate to SMB shares.(Citation: ... |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list... |
| S0453 | Pony | Malware | [Pony](https://attack.mitre.org/software/S0453) has used a small dictionary of common passwords against a collected list of local accounts.(Citation: ... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to... |
| S0598 | P.A.S. Webshell | Malware | [P.A.S. Webshell](https://attack.mitre.org/software/S0598) can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP... |
References
- Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
Frequently Asked Questions
What is T1110.001 (Password Guessing)?
T1110.001 is a MITRE ATT&CK technique named 'Password Guessing'. It belongs to the Credential Access tactic(s). Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an a...
How can T1110.001 be detected?
Detection of T1110.001 (Password Guessing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1110.001?
There are 4 documented mitigations for T1110.001. Key mitigations include: Update Software, Multi-factor Authentication, Password Policies, Account Use Policies.
Which threat groups use T1110.001?
Known threat groups using T1110.001 include: VOID MANTICORE, APT28, APT29.