Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1110 | Brute Force | |
| AC-20 | Use of External Systems | Protects | T1110 | Brute Force | |
| AC-3 | Access Enforcement | Protects | T1110 | Brute Force | |
| AC-5 | Separation of Duties | Protects | T1110 | Brute Force | |
| AC-6 | Least Privilege | Protects | T1110 | Brute Force | |
| AC-7 | Unsuccessful Logon Attempts | Protects | T1110 | Brute Force | |
| CA-7 | Continuous Monitoring | Protects | T1110 | Brute Force | |
| CM-2 | Baseline Configuration | Protects | T1110 | Brute Force | |
| CM-6 | Configuration Settings | Protects | T1110 | Brute Force | |
| IA-11 | Re-authentication | Protects | T1110 | Brute Force | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1110 | Brute Force | |
| IA-4 | Identifier Management | Protects | T1110 | Brute Force | |
| IA-5 | Authenticator Management | Protects | T1110 | Brute Force | |
| SI-4 | System Monitoring | Protects | T1110 | Brute Force | |
| CVE-2019-1715 | Cisco Adaptive Security Appliance (ASA) Software | exploitation_technique | T1110 | Brute Force | |
| CVE-2018-11045 | Pivotal Operations Manager | exploitation_technique | T1110 | Brute Force | |
| CVE-2018-15795 | CredHub Service Broker | exploitation_technique | T1110 | Brute Force | |
| CVE-2020-5365 | Isilon OneFS | exploitation_technique | T1110 | Brute Force | |
| CVE-2018-15800 | Bits Service Release | exploitation_technique | T1110 | Brute Force | |
| CVE-2018-11069 | RSA BSAFE SSL-J | exploitation_technique | T1110 | Brute Force | |
| CVE-2020-11035 | GLPI | exploitation_technique | T1110 | Brute Force | |
| CVE-2020-15093 | tough | exploitation_technique | T1110 | Brute Force | |
| CVE-2019-16782 | rack | exploitation_technique | T1110 | Brute Force | |
| CVE-2019-6563 | Moxa IKS, EDS | exploitation_technique | T1110 | Brute Force | |
| CVE-2019-18263 | Philips Veradius Unity, Pulsera, and Endura Dual WAN Router | exploitation_technique | T1110 | Brute Force | |
| CVE-2018-8160 | Word | secondary_impact | T1110 | Brute Force | |
| CVE-2020-11957 | n/a | uncategorized | T1110 | Brute Force | |
| CVE-2019-19735 | n/a | uncategorized | T1110 | Brute Force | |
| CVE-2018-1956 | Security Identity Manager | uncategorized | T1110 | Brute Force | |
| CVE-2018-12520 | n/a | uncategorized | T1110 | Brute Force | |
| CVE-2019-11219 | n/a | uncategorized | T1110 | Brute Force | |
| action.hacking.variety.Brute force | Brute force or password guessing attacks | related-to | T1110 | Brute Force | |
| action.malware.variety.Brute force | Brute force attack | related-to | T1110 | Brute Force | |
| aws_config | AWS Config | technique_scores | T1110 | Brute Force |
Comments
This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.
References
|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1110 | Brute Force |
Comments
Finding types such as UnauthorizedAccess:EC2/RDPBruteForce, UnauthorizedAccess:EC2/SSHBruteForce, Impact:EC2/WinRMBruteForce, and Stealth:IAMUser/PasswordPolicyChange can detect when an EC2 instance may be involved in a brute force attack aimed at obtaining passwords. Due to the detection being limited to a specific set of application protocols, its coverage is Minimal resulting in a Minimal score.
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1110 | Brute Force |
Comments
The Amazon Inspector Best Practices assessment package can detect security control settings related to authentication and password policies on Linux endpoints. Specific security controls it can assess include "Disable password authentication over SSH", "Configure password maximum age", "Configure password minimum length", and "Configure password complexity" all of which impact the ability to brute force a password. This information can be used identify insecure configurations and harden the endpoints. Amazon Inspector does not directly protect against brute force attacks. Given Amazon Inspector can only assess these security controls on Linux platforms (although it also supports Windows), the coverage score is Minimal leading to an overall Minimal score.
References
|
| amazon_cognito | Amazon Cognito | technique_scores | T1110 | Brute Force |
Comments
Amazon Cognito's MFA capability provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.
References
|
| aws_security_hub | AWS Security Hub | technique_scores | T1110 | Brute Force |
Comments
AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the brute forcing of accounts. AWS Security Hub provides this detection with the following checks.
3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
This is scored as Minimal because it only applies to the AWS Management Console and not other access mechanisms (e.g., CLI, SDK, etc.) and it only supports a subset of the sub-techniques (3 of 4). Furthermore, it does not detect brute-forcing methods for other components such as EC2 instances.
References
|
| aws_identity_and_access_management | AWS Identity and Access Management | technique_scores | T1110 | Brute Force |
|
| aws_single_sign-on | AWS Single Sign-On | technique_scores | T1110 | Brute Force |
Comments
This control may not provide any mitigation against password cracking.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1110.004 | Credential Stuffing | 23 |
| T1110.002 | Password Cracking | 20 |
| T1110.001 | Password Guessing | 24 |
| T1110.003 | Password Spraying | 23 |