T1110 · credential-access · 14 actors · 8 correlated reports

Brute Force

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes. Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

Observed actors

APT38
G0082 APT41
G0096 Dragonfly
G0035 APT39
G0087 OilRig
G0049 Turla
G0010 DarkVishnya
G0105 FIN5
G0053 Ember Bear
G1003 Agrius
G1030 APT28
G0007 Fox Kitten
G0117 Lazarus Group
G0032 HEXANE
G1001

Correlated CTI and IR reports

APT39 (Chafer / Remix Kitten)
Israel Threat Actors CTI · explicit report mention ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention Defensive CTI Research on Threats to Israeli Government and Public-Sector Environments
Israel Threat Actors CTI · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention CTI Led Defensive Strategy for a Cellular Provider Case Study
1200km Medium · authored report mention Correlation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mention Cyberattacks on 4G LTE Telecom Networks Threat Mapping and Defense
1200km Medium · authored report mention Single Event Detection Rules in Cybersecurity
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research