Description
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:
SSH (22/TCP) Telnet (23/TCP) FTP (21/TCP) NetBIOS / SMB / Samba (139/TCP & 445/TCP) LDAP (389/TCP) Kerberos (88/TCP) RDP / Terminal Services (3389/TCP) HTTP/HTTP Management Services (80/TCP & 443/TCP) MSSQL (1433/TCP) Oracle (1521/TCP) MySQL (3306/TCP) VNC (5900/TCP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
Hashcat Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (4)
Account Use PoliciesM1036
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.(Cit
Password PoliciesM1027
Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)
User Account ManagementM1018
Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.
Multi-factor AuthenticationM1032
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has utilized credential stuffing attacks to obtain initial access to victim environments.(Cita... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0266 | TrickBot | Malware | [TrickBot](https://attack.mitre.org/software/S0266) uses brute-force attack against RDP with rdpscanDll module.(Citation: ESET Trickbot Oct 2020)(Cita... |
References
Frequently Asked Questions
What is T1110.004 (Credential Stuffing)?
T1110.004 is a MITRE ATT&CK technique named 'Credential Stuffing'. It belongs to the Credential Access tactic(s). Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pair...
How can T1110.004 be detected?
Detection of T1110.004 (Credential Stuffing) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1110.004?
There are 4 documented mitigations for T1110.004. Key mitigations include: Account Use Policies, Password Policies, User Account Management, Multi-factor Authentication.
Which threat groups use T1110.004?
Known threat groups using T1110.004 include: Chimera, VOID MANTICORE.