# T1110 Brute Force

-----------------------------------------------------------------------

## Technique Description

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.

## Technique Detection

Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.

-----------------------------------------------------------------------

### Tactics:

  *   Credential-Access

### Platforms:

  * Windows

  * Azure AD

  * Office 365

  * SaaS

  * IaaS

  * Linux

  * macOS

  * Google Workspace

  * Containers

  * Network

### Data Sources:

  * **Application Log:** Application Log Content

  * **User Account:** User Account Authentication

  * **Command:** Command Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has brute forced RDP credentials.(Citation: ClearSky Pay2Kitten December 2020)| 
| DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) used brute-force attack to obtain login data.(Citation: Securelist DarkVishnya Dec 2018)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used Ncrack to reveal credentials.(Citation: FireEye APT39 Jan 2019)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.(Citation: CISA AA20-239A BeagleBoyz August 2020)| 
| FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.(Citation: DarkReading FireEye FIN5 Oct 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used brute force techniques to obtain credentials.(Citation: FireEye APT34 Webinar Dec 2017)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has attempted to brute force credentials to gain access.(Citation: CISA AA20-296A Berserk Bear December 2020)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has performed brute force attacks against administrator accounts.(Citation: ESET Lazarus Jun 2020)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) may attempt to connect to systems within a victim's network using <code>net use</code> commands and a predefined list or collection of passwords.(Citation: Kaspersky Turla)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) can perform brute force attacks to obtain credentials.(Citation: TrendMicro Pawn Storm 2019)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Microsoft Targeting Elections September 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1110)

  * [Capec](https://capec.mitre.org/data/definitions/49.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, SSgt Sengsouriya Kapkeo

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Turla may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords. Filtering for these commands through SMB (TCP port 445) or Kerberos (TCP port 88) authentication and attempts will assist in scoping for brute force.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | 1,2,4 | 1,2 |
| APT28 | 5 | |

#### Turla
- may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords

#### APT28
- has been known to brute force and password spray, likely through TOR

#### APT29
- has yet to be observed utilizing brute force techniques as of Q42020

## Detection Blindspots

- Sensor locations could prevent you from seeing authentication attempts.
- Hard to determine brute force solely from a network operator's point of view

## Analytical References

  * [The Epic Turla Operation](https://securelist.com/the-epic-turla-operation/65545/)
  * [APT28 Theft Official365 Logins (threatpost)](https://threatpost.com/apt28-theft-office365-logins/159195/)
  * [Prebuilt Rules (elastic)](https://www.elastic.co/guide/en/siem/guide/current/prebuilt-rules.html)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.
- Look for rapid sysmon event 3's including RDP, telnet, SSH, Kerberos, and NTLM. 
- Look for rapid event log ID 4625 including RDP, telnet, SSH, Kerberos, and NTLM. 
- Utilize, but do not rely, on https://www.elastic.co/guide/en/siem/guide/current/prebuilt-rules.html for query architecture.

#### Analytic 1

  * **Information:** 'Identify any network connections being established related to users that have been identified as attempting multiple logons seen in kerberos authentication.'

  * **Source:** 'Sysmon, Winlogbeats'

  * **Tool:** 'Kibana'

  * **Notes:** 'Creating a dashboard will assist in finding connections'

  * **Kibana Query:** `Event_ID: 3`

#### Analytic 2

  * **Information:** 'Identify if any net use commands are creating processes related to users that have been identified as attempting multiple logons seen in kerberos authentication'

  * **Source:** 'Sysmon, Winlogbeats'

  * **Tool:** 'Kibana'

  * **Notes:** 'Creating a dashboard will assist in finding connections'

  * **Kibana Query:** `Event_ID: 1`
  
  
#### Analytic 3

  * **Information:** ' Identify failures of user logons based on password.'

  * **Source:** 'Sysmon, Winlogbeats'

  * **Tool:** 'Kibana'

  * **Notes:** 

  * **Kibana Query:** `Event_ID:4625 AND Status.code:0xC000006A`
  
#### Analytic 4

  * **Information:**  Identify the SYSTEM account using the Net utility (Turla TTP).

  * **Source:** 'Sysmon, Winlogbeats'

  * **Tool:** 'Kibana'

  * **Notes:** 

  * **Kibana Query:** `(process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and user.name:SYSTEM and event.action:"Process Create (rule: ProcessCreate)"`


#### Analytic 5 

  * **Information:** Detecting TOR activity to the internet. (APT 28 TTP)

  * **Source:** 'Sysmon, Winlogbeats'

  * **Tool:** 'Kibana'

  * **Notes:** These ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used one of these ports by coincidence. In this case, such servers can be excluded if desired.

  * **Kibana Query:** `network.transport:tcp and destination.port:(9001 or 9030) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: 10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")`



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Network traffic isn't the best way to detect this TTP. Host tools are a better way to detect this TTP.
- Analyze traffic for significant number of failed or attempts at Kerboros authentication.
- Creating a Kibana visualization/dashboard can assist in identifying users or systems that have had multiple log on attempts and failed, making tracking of users easily observable.

<p align="center">
<img src="../../Images/T1110_Brute_Force_krb5.png">
</p>

- <font color="red"> CNAME -  contains the user name being authenticated </font>
- <font color="green"> SNAME - the service name being requested (windows domain name) </font>
- <font color="blue"> REALM -  contains the domains users authenticated to </font>

#### Analytic 1

  * **Information:** 'Identify any Kerberos authentication attempts '

  * **Source:** 'PCAP'

  * **Tool:** 'Arkime'

  * **Notes:** 'Coordination with Host will be need to verify if logons are a success or failure'

  * **Arkime Query:** `protocols == krb5 && krb5.realm == EXISTS! && krb5.cname == EXISTS! && krb5.sname == EXISTS!`
  

#### Analytic 2

  * **Information:** 'Identify smb, dcerpc traffic that may contain logon commands seen across the network.'

  * **Source:** 'PCAP'

  * **Tool:** 'Arkime'

  * **Notes:** 'Exporting SMB traffic with unique and counts will assist in identifying shares being accessed'

  * **Arkime Query:** `protocols==[smb, dcerpc] && smb.share == EXISTS!`
