1. Home
  2. ATT&CK Techniques
  3. T1110.003 Password Spraying

T1110.003 Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

View in MITRE ATT&CK®

CSA CCM Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
IAM-15 Passwords Management mitigates T1110.003 Password Spraying
Comments
This control requires both CSP and CSC to independently enforce strong password management practices to protect authentication credentials and reduce the risk of unauthorized access. For example, credential access protection mitigation focuses on implementing measures to prevent adversaries from obtaining credentials, such as passwords, hashes, tokens, or keys, that could be used for unauthorized access.
References
    IAM-02 Strong Password Policy and Procedures mitigates T1110.003 Password Spraying
    Comments
    This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes. For this technique, adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. In terms of mitigation, Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Also, where possible, enforce multi-factor authentication on externally facing services to limit brute force succession.
    References