Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1110">Brute Force</a></li> <li class="breadcrumb-item">Password Spraying</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Brute Force:</span> Password Spraying </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Brute Force (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1110/001/" class="subtechnique-table-item" data-subtechnique_id="T1110.001"> T1110.001 </a> </td> <td> <a href="/techniques/T1110/001/" class="subtechnique-table-item" data-subtechnique_id="T1110.001"> Password Guessing </a> </td> </tr> <tr> <td> <a href="/techniques/T1110/002/" class="subtechnique-table-item" data-subtechnique_id="T1110.002"> T1110.002 </a> </td> <td> <a href="/techniques/T1110/002/" class="subtechnique-table-item" data-subtechnique_id="T1110.002"> Password Cracking </a> </td> </tr> <tr> <td class="active"> T1110.003 </td> <td class="active"> Password Spraying </td> </tr> <tr> <td> <a href="/techniques/T1110/004/" class="subtechnique-table-item" data-subtechnique_id="T1110.004"> T1110.004 </a> </td> <td> <a href="/techniques/T1110/004/" class="subtechnique-table-item" data-subtechnique_id="T1110.004"> Credential Stuffing </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> <p>Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017."data-reference="BlackHillsInfosec Password Spraying"><sup><a href="http://www.blackhillsinfosec.com/?p=4645" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p>Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:</p><ul><li>SSH (22/TCP)</li><li>Telnet (23/TCP)</li><li>FTP (21/TCP)</li><li>NetBIOS / SMB / Samba (139/TCP & 445/TCP)</li><li>LDAP (389/TCP)</li><li>Kerberos (88/TCP)</li><li>RDP / Terminal Services (3389/TCP)</li><li>HTTP/HTTP Management Services (80/TCP & 443/TCP)</li><li>MSSQL (1433/TCP)</li><li>Oracle (1521/TCP)</li><li>MySQL (3306/TCP)</li><li>VNC (5900/TCP)</li></ul><p>In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019."data-reference="US-CERT TA18-068A 2018"><sup><a href="https://www.us-cert.gov/ncas/alerts/TA18-086A" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p><p>In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T1110.003 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of: </span> <a href="/techniques/T1110">T1110</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0006">Credential Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>Containers, IaaS, Identity Provider, Linux, Network, Office Suite, SaaS, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors: </span>John Strand; Microsoft Threat Intelligence Center (MSTIC) </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>11 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>14 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1110.003" href="/versions/v16/techniques/T1110/003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1110.003" href="/versions/v16/techniques/T1110/003/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/groups/G1030"> G1030 </a> </td> <td> <a href="/groups/G1030"> Agrius </a> </td> <td> <p><a href="/groups/G1030">Agrius</a> engaged in password spraying via SMB in victim environments.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024."data-reference="Unit42 Agrius 2023"><sup><a href="https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <p><a href="/groups/G0007">APT28</a> has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020."data-reference="Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020"><sup><a href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020"><sup><a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> <a href="/groups/G0007">APT28</a> has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021"><sup><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0016"> G0016 </a> </td> <td> <a href="/groups/G0016"> APT29 </a> </td> <td> <p><a href="/groups/G0016">APT29</a> has conducted brute force password spray attacks.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021."data-reference="MSRC Nobelium June 2021"><sup><a href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022."data-reference="MSTIC Nobelium Oct 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024."data-reference="NCSC et al APT29 2024"><sup><a href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0064"> G0064 </a> </td> <td> <a href="/groups/G0064"> APT33 </a> </td> <td> <p><a href="/groups/G0064">APT33</a> has used password spraying to gain access to target systems.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."data-reference="FireEye APT33 Guardrail"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."data-reference="Microsoft Holmium June 2020"><sup><a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0606"> S0606 </a> </td> <td> <a href="/software/S0606"> Bad Rabbit </a> </td> <td> <p><a href="/software/S0606">Bad Rabbit</a>鈥檚 <code>infpub.dat</code> file uses NTLM login credentials to brute force Windows machines.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021."data-reference="Secure List Bad Rabbit"><sup><a href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <p><a href="/groups/G0114">Chimera</a> has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021"><sup><a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0488"> S0488 </a> </td> <td> <a href="/software/S0488"> CrackMapExec </a> </td> <td> <p><a href="/software/S0488">CrackMapExec</a> can brute force credential authentication by using a supplied list of usernames and a single password.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020."data-reference="CME Github September 2018"><sup><a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G1003"> G1003 </a> </td> <td> <a href="/groups/G1003"> Ember Bear </a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> has conducted password spraying against Outlook Web Access (OWA) infrastructure to identify valid user names and passwords.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <p><a href="/groups/G1001">HEXANE</a> has used password spraying attacks to obtain valid credentials.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 "data-reference="SecureWorks August 2019"><sup><a href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/groups/G0032">Lazarus Group</a> malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster"><sup><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016."data-reference="Novetta Blockbuster RATs"><sup><a href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0077"> G0077 </a> </td> <td> <a href="/groups/G0077"> Leafminer </a> </td> <td> <p><a href="/groups/G0077">Leafminer</a> used a tool called Total SMB BruteForcer to perform internal password spraying.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018."data-reference="Symantec Leafminer July 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0362"> S0362 </a> </td> <td> <a href="/software/S0362"> Linux Rabbit </a> </td> <td> <p><a href="/software/S0362">Linux Rabbit</a> brute forces SSH passwords in order to attempt to gain access and install its malware onto the server. <span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019."data-reference="Anomali Linux Rabbit 2018"><sup><a href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/software/S0413"> S0413 </a> </td> <td> <a href="/software/S0413"> MailSniper </a> </td> <td> <p><a href="/software/S0413">MailSniper</a> can be used for password spraying against Exchange and Office 365.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019."data-reference="GitHub MailSniper"><sup><a href="https://github.com/dafthack/MailSniper" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/groups/G0122"> G0122 </a> </td> <td> <a href="/groups/G0122"> Silent Librarian </a> </td> <td> <p><a href="/groups/G0122">Silent Librarian</a> has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021."data-reference="DOJ Iran Indictments March 2018"><sup><a href="https://www.justice.gov/usao-sdny/press-release/file/1045781/download" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1036"> M1036 </a> </td> <td> <a href="/mitigations/M1036"> Account Use Policies </a> </td> <td> <p>Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023."data-reference="Microsoft Common Conditional Access Policies"><sup><a href="https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span> Consider blocking risky authentication requests, such as those originating from anonymizing services/proxies.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024."data-reference="Okta Block Anonymizing Services"><sup><a href="https://sec.okta.com/blockanonymizers" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/mitigations/M1032"> M1032 </a> </td> <td> <a href="/mitigations/M1032"> Multi-factor Authentication </a> </td> <td> <p>Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.</p> </td> </tr> <tr> <td> <a href="/mitigations/M1027"> M1027 </a> </td> <td> <a href="/mitigations/M1027"> Password Policies </a> </td> <td> <p>Refer to NIST guidelines when creating password policies. <span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019."data-reference="NIST 800-63-3"><sup><a href="https://pages.nist.gov/800-63-3/sp800-63b.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0015"> <td> <a href="/datasources/DS0015">DS0015</a> </td> <td class="nowrap"> <a href="/datasources/DS0015">Application Log</a> </td>  <td> <a href="/datasources/DS0015/#Application%20Log%20Content">Application Log Content</a> </td> <td> <p>Monitor authentication logs for system and application login failures of <a href="/techniques/T1078">Valid Accounts</a>. Consider the following event IDs:<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019."data-reference="Trimarc Detecting Password Spraying"><sup><a href="https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span>Domain Controllers: "Audit Logon" (Success & Failure) for event ID 4625.Domain Controllers: "Audit Kerberos Authentication Service" (Success & Failure) for event ID 4771.All systems: "Audit Logon" (Success & Failure) for event ID 4648.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023"><sup><a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p> </td> </tr> <tr class="datasource" id="uses-DS0002"> <td> <a href="/datasources/DS0002">DS0002</a> </td> <td class="nowrap"> <a href="/datasources/DS0002">User Account</a> </td>  <td> <a href="/datasources/DS0002/#User%20Account%20Authentication">User Account Authentication</a> </td> <td> <p>Monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023."data-reference="Mandiant Cloudy Logs 2023"><sup><a href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p><p>Analytic 1 - Multiple failed logon attempts across different accounts, especially targeting common usernames.</p><p><code> (index=security sourcetype="WinEventLog:Security" EventCode IN (4625, 5379)) OR(index=os sourcetype="linux_secure" message="Failed password") OR(index=os sourcetype="macos_secure" message="Failed to authenticate user")</code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="http://www.blackhillsinfosec.com/?p=4645" target="_blank"> Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.us-cert.gov/ncas/alerts/TA18-086A" target="_blank"> US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" target="_blank"> Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/" target="_blank"> Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank"> Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/" target="_blank"> MSRC. (2021, June 25). New Nobelium activity. Retrieved August 4, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/" target="_blank"> Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.ic3.gov/Media/News/2024/240226.pdf" target="_blank"> UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank"> Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank"> Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank"> byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="15.0"> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank"> US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank"> SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank"> Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" target="_blank"> Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://github.com/dafthack/MailSniper" target="_blank"> Bullock, B., . (2018, November 20). MailSniper. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.justice.gov/usao-sdny/press-release/file/1045781/download" target="_blank"> DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common" target="_blank"> Microsoft. (2022, December 14). Conditional Access templates. Retrieved February 21, 2023. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://sec.okta.com/blockanonymizers" target="_blank"> Moussa Diallo and Brett Winterford. (2024, April 26). How to Block Anonymizing Services using Okta. Retrieved May 28, 2024. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://pages.nist.gov/800-63-3/sp800-63b.html" target="_blank"> Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" target="_blank"> Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.mandiant.com/resources/blog/cloud-bad-log-configurations" target="_blank"> Pany, D. & Hanley, C. (2023, May 3). Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations. Retrieved October 16, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Brute Force: Password Spraying, Sub-technique T1110.003 - Enterprise | MITRE ATT&CK®