1. Home
  2. ATT&CK Techniques
  3. T1110 Brute Force

T1110 Brute Force Mappings

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Brute force Brute force or password guessing attacks. related-to T1110 Brute Force
action.malware.variety.Brute force Brute force attack related-to T1110 Brute Force
amazon_cognito Amazon Cognito technique_scores T1110 Brute Force
Comments
Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.
References
  1. https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html
  2. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-compromised-credentials.html
  3. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html
amazon_guardduty Amazon GuardDuty technique_scores T1110 Brute Force
Comments
Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
amazon_inspector Amazon Inspector technique_scores T1110 Brute Force
Comments
The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include "Disable password authentication over SSH", "Configure password maximum age", "Configure password minimum length", and "Configure password complexity" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
aws_config AWS Config technique_scores T1110 Brute Force
Comments
This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1110 Brute Force
Comments
References
  1. https://docs.aws.amazon.com/iam/index.html
aws_security_hub AWS Security Hub technique_scores T1110 Brute Force
Comments
AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks. 3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques. Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances.
References
  1. https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
aws_single_sign-on AWS Single Sign-On technique_scores T1110 Brute Force
Comments
This control may not provide any mitigation against password cracking.
References
  1. https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1110.001 Password Guessing 9
T1110.002 Password Cracking 6
T1110.003 Password Spraying 9
T1110.004 Credential Stuffing 9