T1110.001 Password Guessing Mappings

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1110.001 Password Guessing
AC-20 Use of External Systems Protects T1110.001 Password Guessing
AC-3 Access Enforcement Protects T1110.001 Password Guessing
AC-5 Separation of Duties Protects T1110.001 Password Guessing
AC-6 Least Privilege Protects T1110.001 Password Guessing
AC-7 Unsuccessful Logon Attempts Protects T1110.001 Password Guessing
CA-7 Continuous Monitoring Protects T1110.001 Password Guessing
CM-2 Baseline Configuration Protects T1110.001 Password Guessing
CM-6 Configuration Settings Protects T1110.001 Password Guessing
IA-11 Re-authentication Protects T1110.001 Password Guessing
IA-2 Identification and Authentication (organizational Users) Protects T1110.001 Password Guessing
IA-4 Identifier Management Protects T1110.001 Password Guessing
IA-5 Authenticator Management Protects T1110.001 Password Guessing
SI-4 System Monitoring Protects T1110.001 Password Guessing
CVE-2019-18872 n/a uncategorized T1110.001 Password Guessing
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.001 Brute Force: Password Guessing
action.malware.variety.Brute force Brute force attack related-to T1110.001 Brute Force: Password Guessing
aws_config AWS Config technique_scores T1110.001 Password Guessing
amazon_guardduty Amazon GuardDuty technique_scores T1110.001 Password Guessing
amazon_inspector Amazon Inspector technique_scores T1110.001 Password Guessing
amazon_cognito Amazon Cognito technique_scores T1110.001 Password Guessing
aws_security_hub AWS Security Hub technique_scores T1110.001 Password Guessing
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1110.001 Password Guessing
aws_single_sign-on AWS Single Sign-On technique_scores T1110.001 Password Guessing