Skip to content

T1110.003 Password Spraying

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. ‘Password01’), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. 2

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

  • SSH (22/TCP)
  • Telnet (23/TCP)
  • FTP (21/TCP)
  • NetBIOS / SMB / Samba (139/TCP & 445/TCP)
  • LDAP (389/TCP)
  • Kerberos (88/TCP)
  • RDP / Terminal Services (3389/TCP)
  • HTTP/HTTP Management Services (80/TCP & 443/TCP)
  • MSSQL (1433/TCP)
  • Oracle (1521/TCP)
  • MySQL (3306/TCP)
  • VNC (5900/TCP)

In addition to management services, adversaries may “target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,” as well as externally facing email applications, such as Office 365.3

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows “logon failure” event ID 4625.

Item Value
ID T1110.003
Sub-techniques T1110.001, T1110.002, T1110.003, T1110.004
Tactics TA0006
Platforms Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS
Version 1.3
Created 11 February 2020
Last Modified 14 April 2023

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.2021 APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.22
G0016 APT29 APT29 has conducted brute force password spray attacks.1718
G0064 APT33 APT33 has used password spraying to gain access to target systems.1112
S0606 Bad Rabbit Bad Rabbit’s infpub.dat file uses NTLM login credentials to brute force Windows machines.8
G0114 Chimera Chimera has used multiple password spraying attacks against victim’s remote services to obtain valid user and administrator accounts.16
S0488 CrackMapExec CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.7
G1001 HEXANE HEXANE has used password spraying attacks to obtain valid credentials.19
G0032 Lazarus Group Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.1413
G0077 Leafminer Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.15
S0362 Linux Rabbit Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. 9
S0413 MailSniper MailSniper can be used for password spraying against Exchange and Office 365.6
G0122 Silent Librarian Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.10

Mitigations

ID Mitigation Description
M1036 Account Use Policies Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.4
M1032 Multi-factor Authentication Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
M1027 Password Policies Refer to NIST guidelines when creating password policies. 5

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0002 User Account User Account Authentication

References

  1. Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. 

  2. Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017. 

  3. US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. 

  4. Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023. 

  5. Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019. 

  6. Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019. 

  7. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  8. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. 

  9. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019. 

  10. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. 

  11. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. 

  12. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. 

  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. 

  14. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. 

  15. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. 

  16. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  17. MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. 

  18. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. 

  19. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  20. Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. 

  21. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. 

  22. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.