T1110.003 Password Spraying Mappings

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1110.003 Password Spraying
AC-20 Use of External Systems Protects T1110.003 Password Spraying
AC-3 Access Enforcement Protects T1110.003 Password Spraying
AC-5 Separation of Duties Protects T1110.003 Password Spraying
AC-6 Least Privilege Protects T1110.003 Password Spraying
AC-7 Unsuccessful Logon Attempts Protects T1110.003 Password Spraying
CA-7 Continuous Monitoring Protects T1110.003 Password Spraying
CM-2 Baseline Configuration Protects T1110.003 Password Spraying
CM-6 Configuration Settings Protects T1110.003 Password Spraying
IA-11 Re-authentication Protects T1110.003 Password Spraying
IA-2 Identification and Authentication (organizational Users) Protects T1110.003 Password Spraying
IA-4 Identifier Management Protects T1110.003 Password Spraying
IA-5 Authenticator Management Protects T1110.003 Password Spraying
SI-4 System Monitoring Protects T1110.003 Password Spraying
action.hacking.variety.Brute force Brute force or password guessing attacks related-to T1110.003 Brute Force: Password Spraying
action.malware.variety.Brute force Brute force attack related-to T1110.003 Brute Force: Password Spraying
aws_config AWS Config technique_scores T1110.003 Password Spraying
amazon_guardduty Amazon GuardDuty technique_scores T1110.003 Password Spraying
amazon_inspector Amazon Inspector technique_scores T1110.003 Password Spraying
amazon_cognito Amazon Cognito technique_scores T1110.003 Password Spraying
aws_security_hub AWS Security Hub technique_scores T1110.003 Password Spraying
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1110.003 Password Spraying
aws_single_sign-on AWS Single Sign-On technique_scores T1110.003 Password Spraying