T1110.004 Credential Stuffing Mappings

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1110.004 Credential Stuffing
AC-20 Use of External Systems Protects T1110.004 Credential Stuffing
AC-3 Access Enforcement Protects T1110.004 Credential Stuffing
AC-5 Separation of Duties Protects T1110.004 Credential Stuffing
AC-6 Least Privilege Protects T1110.004 Credential Stuffing
AC-7 Unsuccessful Logon Attempts Protects T1110.004 Credential Stuffing
CA-7 Continuous Monitoring Protects T1110.004 Credential Stuffing
CM-2 Baseline Configuration Protects T1110.004 Credential Stuffing
CM-6 Configuration Settings Protects T1110.004 Credential Stuffing
IA-11 Re-authentication Protects T1110.004 Credential Stuffing
IA-2 Identification and Authentication (organizational Users) Protects T1110.004 Credential Stuffing
IA-4 Identifier Management Protects T1110.004 Credential Stuffing
IA-5 Authenticator Management Protects T1110.004 Credential Stuffing
SI-4 System Monitoring Protects T1110.004 Credential Stuffing
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1110.004 Credential Stuffing
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1110.004 Credential Stuffing
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration technique_scores T1110.004 Credential Stuffing
azure_sentinel Azure Sentinel technique_scores T1110.004 Credential Stuffing
azure_ad_password_policy Azure AD Password Policy technique_scores T1110.004 Credential Stuffing
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication technique_scores T1110.004 Credential Stuffing
azure_policy Azure Policy technique_scores T1110.004 Credential Stuffing
azure_alerts_for_network_layer Azure Alerts for Network Layer technique_scores T1110.004 Credential Stuffing
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database technique_scores T1110.004 Credential Stuffing
conditional_access Conditional Access technique_scores T1110.004 Credential Stuffing
cloud_app_security_policies Cloud App Security Policies technique_scores T1110.004 Credential Stuffing
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1110.004 Credential Stuffing
azure_active_directory_password_protection Azure Active Directory Password Protection technique_scores T1110.004 Credential Stuffing
just-in-time_vm_access Just-in-Time VM Access technique_scores T1110.004 Credential Stuffing
passwordless_authentication Passwordless Authentication technique_scores T1110.004 Credential Stuffing