Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1110 | Brute Force |
Comments
Often used by adversaries to gain access to a system, Palo Alto Network's vulnerability signature is able to detect multiple repetitive occurrences of a condition in a particular time that could indicate a brute force attack (e.g., failed logins).
Although there are ways an attacker could brute force a system while avoiding detection, this technique was scored as significant based on Palo Alto Network's advanced threat detection technology which constantly updates to detect against the latest known variations of these attacks.
References
|
| actifio_go | Actifio Go | technique_scores | T1110 | Brute Force |
Comments
Actifio uses two command line (CLI) interfaces for customer end-users and Actifio support personnel. All CLI access is via key based authentication only. This provides significant protection against brute force password attacks. However, this only provides protection for Actifio components, rather than all components for a system. This has resulted in a score of Partial.
References
|
| identityplatform | IdentityPlatform | technique_scores | T1110 | Brute Force |
Comments
Multi-factor authentication (MFA) methods, such as SMS, can also be used to help protect user accounts from phishing attacks. MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.
References
|
| cloud_identity | Cloud Identity | technique_scores | T1110 | Brute Force |
Comments
This control may mitigate brute force attacks by enforcing multi-factor authentication, enforcing strong password policies, and rotating credentials periodically. These recommendations are IAM best practices but must be explicitly implemented by a cloud administrator.
References
|
| endpoint_management | Endpoint Management | technique_scores | T1110 | Brute Force |
Comments
This control allows for enforcement of strong password requirements for all mobile devices, desktops, laptops, and other endpoints. This control also allows for use of Google Credential Provider for Windows (GCPW) to utilize Google single sign on for Windows devices that can leverage two-factor authentication and login challenges.
References
|
| security_command_center | Security Command Center | technique_scores | T1110 | Brute Force |
Comments
SCC uses syslog to detect successful brute force attacks [via SSH] on a host. Because of the near-real time temporal factor when detecting cyber-attacks this control was graded as significant.
References
|
| advancedprotectionprogram | AdvancedProtectionProgram | technique_scores | T1110 | Brute Force |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. This provides significant protection against Brute Force techniques attempting to gain access to accounts.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1110.004 | Credential Stuffing | 3 |
| T1110.002 | Password Cracking | 3 |
| T1110.001 | Password Guessing | 3 |
| T1110.003 | Password Spraying | 3 |