Description
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:
SSH (22/TCP) Telnet (23/TCP) FTP (21/TCP) NetBIOS / SMB / Samba (139/TCP & 445/TCP) LDAP (389/TCP) Kerberos (88/TCP) RDP / Terminal Services (3389/TCP) HTTP/HTTP Management Services (80/TCP & 443/TCP) MSSQL (1433/TCP) Oracle (1521/TCP) MySQL (3306/TCP) VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
In order to avoid detection thresholds, adversaries may deliberately throttle password spraying attempts to avoid triggering security alerting. Additionally, adversaries may leverage LDAP and Kerberos authentication attempts, which are less likely to trigger high-visibility events such as Windows "logon failure" event ID 4625 that is commonly triggered by failed SMB connection attempts.(Citation: Microsoft Storm-0940)
Hashcat Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Multi-factor AuthenticationM1032
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Password PoliciesM1027
Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)
Account Use PoliciesM1036
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Cit
Threat Groups (11)
| ID | Group | Context |
|---|---|---|
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has gained initial access through password spray attacks.(Citation: Microsoft Silk Typhoon MAR 2025) |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) engaged in password spraying via SMB in victim environments.(Citation: Unit42 Agrius 2023) |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid ... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has conducted brute force password spray attacks.(Citation: MSRC Nobelium June 2021)(Citation: MSTIC No... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used password spraying attacks to obtain valid credentials.(Citation: SecureWorks August 2019) |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware attempts to connect to Windows shares for lateral movement by using a generated list of... |
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citatio... |
| G0122 | Silent Librarian | [Silent Librarian](https://attack.mitre.org/groups/G0122) has used collected lists of names and e-mail accounts to use in password spraying attacks ag... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used multiple password spraying attacks against victim's remote services to obtain valid user and... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used a tool called Total SMB BruteForcer to perform internal password spraying.(Citation: Symantec ... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it ... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0606 | Bad Rabbit | Malware | [Bad Rabbit](https://attack.mitre.org/software/S0606)’s <code>infpub.dat</code> file uses NTLM login credentials to brute force Windows machines.(Cita... |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can brute force credential authentication by using a supplied list of usernames and a single p... |
| S0362 | Linux Rabbit | Malware | [Linux Rabbit](https://attack.mitre.org/software/S0362) brute forces SSH passwords in order to attempt to gain access and install its malware onto the... |
| S0413 | MailSniper | Tool | [MailSniper](https://attack.mitre.org/software/S0413) can be used for password spraying against Exchange and Office 365.(Citation: GitHub MailSniper) |
References
- Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.
- Microsoft Threat Intelligence. (2024, October 31). Chinese threat actor Storm-0940 uses credentials from password spray attacks from a covert network. Retrieved June 4, 2025.
- Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.
- US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.
Frequently Asked Questions
What is T1110.003 (Password Spraying)?
T1110.003 is a MITRE ATT&CK technique named 'Password Spraying'. It belongs to the Credential Access tactic(s). Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Passwo...
How can T1110.003 be detected?
Detection of T1110.003 (Password Spraying) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1110.003?
There are 3 documented mitigations for T1110.003. Key mitigations include: Multi-factor Authentication, Password Policies, Account Use Policies.
Which threat groups use T1110.003?
Known threat groups using T1110.003 include: HAFNIUM, Agrius, Ember Bear, APT29, HEXANE, Lazarus Group, APT33, Silent Librarian.