Esc
Brute Force - T1110
(ATT&CK® Technique)
Definition
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1110["Brute Force"] --> |accesses| Password["Password"]; class T1110 OffensiveTechniqueNode;
class Password ArtifactNode; click Password href "/dao/artifact/d3f:Password";
click T1110 href "/offensive-technique/attack/T1110/"; click Password href "/dao/artifact/d3f:Password"; T1110["Brute Force"] --> |modifies| AuthenticationLog["Authentication Log"]; class T1110 OffensiveTechniqueNode;
class AuthenticationLog ArtifactNode; click AuthenticationLog href "/dao/artifact/d3f:AuthenticationLog";
click T1110 href "/offensive-technique/attack/T1110/"; click AuthenticationLog href "/dao/artifact/d3f:AuthenticationLog"; T1110["Brute Force"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1110 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1110 href "/offensive-technique/attack/T1110/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1110["Brute Force"] --> |produces| Authentication["Authentication"]; class T1110 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1110 href "/offensive-technique/attack/T1110/"; click Authentication href "/dao/artifact/d3f:Authentication"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1110["Brute Force"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1110["Brute Force"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Password["Password"];
DecoyUserCredential["Decoy User Credential"] -.->
| May Deceive | T1110["Brute Force"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Password ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1110["Brute Force"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1110["Brute Force"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Password["Password"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| May Detect | T1110["Brute Force"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Password ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1110["Brute Force"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; CredentialRevocation["Credential Revocation"] -->
| deletes | Password["Password"];
CredentialRevocation["Credential Revocation"] -.->
| May Evict | T1110["Brute Force"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Password ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Password["Password"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| May Evict | T1110["Brute Force"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Password ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | Password["Password"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1110["Brute Force"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class Password ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| restricts | Password["Password"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| May Harden | T1110["Brute Force"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Password ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; One-timePassword["One-time Password"] -->
| use-limits | Password["Password"];
One-timePassword["One-time Password"] -.->
| May Harden | T1110["Brute Force"] ;
class One-timePassword DefensiveTechniqueNode;
class Password ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; CredentialRotation["Credential Rotation"] -->
| regenerates | Password["Password"];
CredentialRotation["Credential Rotation"] -.->
| May Harden | T1110["Brute Force"] ;
class CredentialRotation DefensiveTechniqueNode;
class Password ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1110["Brute Force"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ReissueCredential["Reissue Credential"] -->
| restores | Password["Password"];
ReissueCredential["Reissue Credential"] -.->
| May Restore | T1110["Brute Force"] ;
class ReissueCredential DefensiveTechniqueNode;
class Password ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential";