| ID | Name |
|---|---|
| T1110.001 | Password Guessing |
| T1110.002 | Password Cracking |
| T1110.003 | Password Spraying |
| T1110.004 | Credential Stuffing |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. [1]
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.[2]
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Angreifer, die keine Kenntnis von legitimen Anmeldeinformationen innerhalb des Systems oder der Umgebung haben, können Passwörter erraten, um sich Zugang zu Konten zu verschaffen. Ohne Kenntnis des Passworts für ein Konto kann ein Angreifer das Passwort systematisch erraten, indem er einen sich wiederholenden oder iterativen Mechanismus verwendet. Ein Angreifer kann die Anmeldedaten ohne vorherige Kenntnis der System- oder Umgebungspasswörter während eines Vorgangs erraten, indem er eine Liste gängiger Passwörter verwendet. Beim Erraten von Passwörtern können die Richtlinien des Ziels zur Komplexität von Passwörtern berücksichtigt werden oder es können Richtlinien verwendet werden, die Konten nach einer Reihe von Fehlversuchen sperren.
Das Erraten von Passwörtern kann eine riskante Option sein, da es je nach den Richtlinien des Unternehmens für fehlgeschlagene Anmeldungen zu zahlreichen Authentifizierungsfehlern und Kontosperrungen führen kann. (Zitat: Cylance Cleaver)
In der Regel werden beim Erraten von Passwörtern Verwaltungsdienste über häufig genutzte Ports verwendet. Zu den häufig angegriffenen Diensten gehören die folgenden:
Zusätzlich zu den Verwaltungsdiensten können Angreifer "auf Single Sign-On (SSO) und Cloud-basierte Anwendungen abzielen, die föderierte Authentifizierungsprotokolle verwenden", sowie auf nach aussen gerichtete E-Mail-Anwendungen wie Office 365.(Zitat: US-CERT TA18-068A 2018)
In Standardumgebungen ist es weniger wahrscheinlich, dass LDAP- und Kerberos-Verbindungsversuche über SMB Ereignisse auslösen, wodurch die Windows-Ereignis-ID 4625 "Anmeldefehler" entsteht.
Les adversaires n'ayant aucune connaissance préalable des informations d'identification légitimes dans le système ou l'environnement peuvent deviner les mots de passe pour tenter d'accéder aux comptes. Sans connaissance du mot de passe d'un compte, un adversaire peut choisir de deviner systématiquement le mot de passe en utilisant un mécanisme répétitif ou itératif. Un adversaire peut deviner les identifiants de connexion sans connaissance préalable des mots de passe du système ou de l'environnement pendant une opération en utilisant une liste de mots de passe courants. La devinette des mots de passe peut ou non tenir compte des politiques de la cible en matière de complexité des mots de passe ou des politiques d'utilisation qui peuvent verrouiller les comptes après un certain nombre de tentatives infructueuses.
Deviner les mots de passe peut être une option risquée car elle peut provoquer de nombreux échecs d'authentification et des verrouillages de comptes, selon les politiques d'échec de connexion de l'organisation. (Citation : Cylance Cleaver)
Généralement, les services de gestion sur les ports couramment utilisés sont utilisés pour deviner les mots de passe. Les services couramment ciblés sont les suivants :
Outre les services de gestion, les adversaires peuvent " cibler les applications d'authentification unique (SSO) et les applications basées sur le cloud utilisant des protocoles d'authentification fédérés ", ainsi que les applications de messagerie orientées vers l'extérieur, comme Office 365.(Citation : US-CERT TA18-068A 2018)
Dans les environnements par défaut, les tentatives de connexion LDAP et Kerberos sont moins susceptibles de déclencher des événements sur SMB, ce qui crée l'événement Windows "logon failure" ID 4625.
Gli avversari che non conoscono le credenziali legittime all'interno del sistema o dell'ambiente possono indovinare le password per tentare l'accesso agli account. Senza conoscere la password di un account, un avversario può scegliere di indovinare sistematicamente la password usando un meccanismo ripetitivo o iterativo. Un avversario può indovinare le credenziali di accesso senza conoscere le password del sistema o dell'ambiente durante un'operazione utilizzando una lista di password comuni. L'indovinare la password può o meno tenere conto delle politiche dell'obiettivo sulla complessità delle password o utilizzare politiche che possono bloccare gli account dopo un certo numero di tentativi falliti.
Indovinare le password può essere un'opzione rischiosa perché potrebbe causare numerosi fallimenti dell'autenticazione e il blocco degli account, a seconda delle politiche di fallimento del login dell'organizzazione. (Citazione: Cylance Cleaver)
Di solito, per indovinare le password si usano servizi di gestione su porte comunemente utilizzate. I servizi comunemente presi di mira sono i seguenti:
Oltre ai servizi di gestione, gli avversari possono "prendere di mira single sign-on (SSO) e applicazioni basate su cloud che utilizzano protocolli di autenticazione federata", così come applicazioni email rivolte all'esterno, come Office 365.(Citazione: US-CERT TA18-068A 2018)
In ambienti predefiniti, i tentativi di connessione LDAP e Kerberos hanno meno probabilità di innescare eventi su SMB, il che crea l'evento ID 4625 di Windows "logon failure".
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 |
APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.[3] APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.[4] |
| S0020 | China Chopper |
China Chopper's server component can perform brute force password guessing against authentication portals.[5] |
| S0488 | CrackMapExec |
CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[6] |
| S0367 | Emotet |
Emotet has been observed using a hard coded list of passwords to brute force user accounts. [7][8][9][10][11] |
| S0532 | Lucifer |
Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.[12] |
| S0598 | P.A.S. Webshell |
P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.[13] |
| S0453 | Pony |
Pony has used a small dictionary of common passwords against a collected list of local accounts.[14] |
| S0374 | SpeakUp |
SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. [15] |
| S0341 | Xbash |
Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.[16][17] |
| ID | Mitigation | Description |
|---|---|---|
| M1036 | Account Use Policies |
Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. |
| M1032 | Multi-factor Authentication |
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| M1027 | Password Policies |
Refer to NIST guidelines when creating password policies. [18] |
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0002 | User Account | User Account Authentication |
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.
Überwachen Sie die Authentifizierungsprotokolle auf fehlgeschlagene System- und Anwendungsanmeldungen von Gültige Konten. Wenn die Zahl der fehlgeschlagenen Authentifizierungen hoch ist, könnte ein Brute-Force-Versuch vorliegen, um sich mit legitimen Anmeldedaten Zugang zu einem System zu verschaffen.
Surveillez les journaux d'authentification pour détecter les échecs de connexion au système et aux applications des [Comptes valides] (/techniques/T1078). Si les échecs d'authentification sont élevés, il se peut qu'il y ait une tentative de force brute pour accéder à un système en utilisant des informations d'identification légitimes.
Monitorare i log di autenticazione per i fallimenti di accesso al sistema e alle applicazioni di Valid Accounts. Se i fallimenti di autenticazione sono alti, allora potrebbe esserci un tentativo di forza bruta per accedere ad un sistema usando credenziali legittime.