detection.wiki

Brute Force: Password Guessing T1110.001

Tactic: Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4723An attempt was made to change an account's password.
Security-AuditingEvent ID 4724An attempt was made to reset an account's password.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 44 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (100 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType16eq 9, in 7, starts_with 3ssh_login, user_login, logon-failed, user.authentication., user.session.start
data_stream.dataset11eq 11azure.signinlogs, okta.system, o365.audit, aws.cloudtrail
sourcetype10eq 10azure:monitor:aad, aws:cloudtrail, o365:management:activity, aws:asl, cisco:asa
event.category9eq 9authentication, process
event.outcome8eq 8failure, success
src_ip6is_not_null 5, ne 2, cidr_match 10.0.0.0, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 127.0.0.1
EventID5eq 54625, 4624, 5156, security.threat.detected
Esql.event_count4ge 410, 20, 30
LogonType4eq 4Network
azure_ad::result_type4eq 2, in 2, ne 1120000, 120002, 120020, 500121, 50053
count4gt 3, ge 120, 10, 3
host.os.type4eq 4
Provider_Name3in 2, eq 1AzureActiveDirectory, Exchange, signin.amazonaws.com
aws::eventName3eq 3GetPasswordData, ConsoleLogin
azure_ad::signin_category3in 3NonInteractiveUserSignInLogs, SignInLogs

Top indicator values (251 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.categoryeq
authentication
831
event.outcomeeq
failure
816
EventIDeq
4625
415
EventIDeq
4624
225
EventTypein
ssh_login
45
EventTypein
user_login
45
EventTypein
PasswordLogonInitialAuthUsingPassword
22
EventTypein
UserLoginFailed
22
LogonTypeeq
Network
440
data_stream.dataseteq
azure.signinlogs
430
data_stream.dataseteq
okta.system
448
EventTypeeq
logon-failed
33
EventTypeeq
user.session.start
38
EventTypestarts_with
user.authentication.
38
azure_ad::signin_categoryin
NonInteractiveUserSignInLogs
33
azure_ad::signin_categoryin
SignInLogs
33
categoryeq
SignInLogs
312
sourcetypeeq
azure:monitor:aad
347
Esql.brute_force_typene
other
22
Esql.event_countge
10
28
Esql.total_attemptsge
10
22
Operationeq
UserLoginFailed
28
Provider_Namein
AzureActiveDirectory
22
Provider_Namein
Exchange
22
TargetDomainNamene
NT AUTHORITY
26
Workloadeq
AzureActiveDirectory
231
aws::eventNameeq
GetPasswordData
24
aws::userAgentne
Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0
22
azure_ad::authentication_requirementeq
singleFactorAuthentication
28
azure_ad::result_typein
120000
22

Exclusions (96 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Statusin
0xc000005e
2
Statusin
0xc00000dc
2
Statusin
0xc0000133
2
Statusin
0xc000015b
2
Statusin
0xc0000192
2
TO_IP(source.ip)cidr_match
127.0.0.0/8
2
TO_IP(source.ip)cidr_match
::1
2
Esql.o365_audit_LogonErrorin
CmsiInterrupt
1
Esql.o365_audit_LogonErrorin
EntitlementGrantsNotFound
1
Esql.o365_audit_LogonErrorin
InvalidReplyTo
1
Esql.o365_audit_LogonErrorin
PasswordResetRegistrationRequiredInterrupt
1
Esql.o365_audit_LogonErrorin
SsoArtifactExpiredDueToConditionalAccess
1
Esql.o365_audit_LogonErrorin
SsoUserAccountNotFoundInResourceTenant
1
Esql.o365_audit_LogonErrorin
UserStrongAuthClientAuthNRequired
1
Esql.o365_audit_LogonErrorin
UserStrongAuthEnrollmentRequired
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules

Elastic 21 rules

Splunk 13 rules

Kusto 1 rule

YARA-L 3 rules

Panther 2 rules