Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1110 | Brute Force | |
| AC-20 | Use of External Systems | Protects | T1110 | Brute Force | |
| AC-3 | Access Enforcement | Protects | T1110 | Brute Force | |
| AC-5 | Separation of Duties | Protects | T1110 | Brute Force | |
| AC-6 | Least Privilege | Protects | T1110 | Brute Force | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1110 | Brute Force | |
| CA-7 | Continuous Monitoring | Protects | T1110 | Brute Force | |
| CM-2 | Baseline Configuration | Protects | T1110 | Brute Force | |
| CM-6 | Configuration Settings | Protects | T1110 | Brute Force | |
| IA-11 | Re-authentication | Protects | T1110 | Brute Force | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1110 | Brute Force | |
| IA-4 | Identifier Management | Protects | T1110 | Brute Force | |
| IA-5 | Authenticator Management | Protects | T1110 | Brute Force | |
| SI-4 | System Monitoring | Protects | T1110 | Brute Force | |
| azure_ad_identity_protection | Azure AD Identity Protection | technique_scores | T1110 | Brute Force |
Comments
This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score.
References
|
| azure_ad_identity_protection | Azure AD Identity Protection | technique_scores | T1110 | Brute Force |
Comments
Provides significant response capabilities for one of this technique's sub-techniques (Password Spray). Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1110 | Brute Force |
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples resulting in a Partial Coverage score and consequently an overall score of Partial.
References
|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1110 | Brute Force |
Comments
This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.
References
|
| linux_auditd_alerts_and_log_analytics_agent_integration | Linux auditd alerts and Log Analytics agent integration | technique_scores | T1110 | Brute Force |
Comments
This control provides partial coverage for most of this technique's sub-techniques and procedures.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1110 | Brute Force |
Comments
This control includes partial detection coverage for most of this technique's sub-techniques on a periodic basis.
References
|
| azure_ad_password_policy | Azure AD Password Policy | technique_scores | T1110 | Brute Force |
Comments
This control provides partial protection for most of this technique's sub-techniques and therefore has been scored as Partial.
References
|
| microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1110 | Brute Force |
Comments
This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial.
References
|
| azure_ad_multi-factor_authentication | Azure AD Multi-Factor Authentication | technique_scores | T1110 | Brute Force |
Comments
MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.
References
|
| azure_policy | Azure Policy | technique_scores | T1110 | Brute Force | |
| azure_alerts_for_network_layer | Azure Alerts for Network Layer | technique_scores | T1110 | Brute Force |
Comments
This control can identify multiple connection attempts by external IPs, which may be indicative of Brute Force attempts, though not T1110.002, which is performed offline. It provides significant detection from most of this technique's sub-techniques and procedure examples resulting in an overall score of Significant.
References
|
| advanced_threat_protection_for_azure_sql_database | Advanced Threat Protection for Azure SQL Database | technique_scores | T1110 | Brute Force |
Comments
This control covers the majority of sub-techniques for this parent technique and may cover both successful and unsuccessful brute force attacks. This control only provides alerts for a set of Azure database offerings. Databases that have been deployed to endpoints within Azure or third-party databases deployed to Azure do not generate alerts for this control.
References
|
| conditional_access | Conditional Access | technique_scores | T1110 | Brute Force |
Comments
Conditional Access can be used to enforce MFA for users which provides significant protection against password compromises, requiring an adversary to complete an additional authentication method before their access is permitted.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1110 | Brute Force |
Comments
This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1110 | Brute Force |
Comments
The MFA recommendation provides significant protection against password compromises, but because this is a recommendation and doesn't actually enforce MFA, the assessed score is capped at Partial.
References
|
| azure_active_directory_password_protection | Azure Active Directory Password Protection | technique_scores | T1110 | Brute Force | |
| just-in-time_vm_access | Just-in-Time VM Access | technique_scores | T1110 | Brute Force |
Comments
This control can be configured to completely block inbound access to selected ports until access is requested. This prevents any attempt at brute forcing a protocol, such as RDP or SSH, unless the attacker has the credentials and permissions to request such access. Even if permission has been granted to an authorized user to access the virtual machine, a list of authorized IP addresses for that access can be configured.
References
|
| passwordless_authentication | Passwordless Authentication | technique_scores | T1110 | Brute Force |
Comments
This control provides significant protection against this brute force technique by completing obviating the need for passwords by replacing it with passwordless credentials.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1110.004 | Credential Stuffing | 29 |
| T1110.002 | Password Cracking | 19 |
| T1110.001 | Password Guessing | 30 |
| T1110.003 | Password Spraying | 31 |