Last reviewed:
T1110 covers credential-guessing attacks: password spray, credential stuffing, brute-force authentication. It remains the workhorse technique behind cloud-identity intrusion attempts. DCV maps GuardDuty's RDPBruteForce, SSHBruteForce, and RDS SuccessfulBruteForce findings as protocol-specific detections that fire on attack-surface-specific abuse patterns. GCP SCC's BRUTE_FORCE_SSH covers the GCP equivalent, with Azure MFA policies flagged as the preventive baseline. T1110 is one of the few techniques where high-fidelity signature detections exist out of the box.
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to Valid Accounts within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as OS Credential Dumping, Account Discovery, or Password Policy Discovery. Adversaries may also combine brute forcing activity with behaviors such as External Remote Services as part of Initial Access.
If an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victim’s location and therefore bypass those policies.
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.
DCV maps 42 detections across 3 cloud providers to T1110. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 10 | 0.85 |
| AWS GuardDuty | AWS | 8 | 0.89 |
| AWS Config Rules | AWS | 5 | 0.80 |
| GCP Security Command Center | GCP | 5 | 0.84 |
| Microsoft Defender for Cloud | Azure | 5 | 0.88 |
| Azure Policy | Azure | 4 | 0.82 |
| Azure Regulatory Compliance | Azure | 4 | 0.90 |
| GCP Chronicle | GCP | 1 | 0.95 |
CloudSigma has coverage metadata for 42 T1110 rules across 4 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1110, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1110 covers credential-guessing attacks: password spray, credential stuffing, brute-force authentication. It remains the workhorse technique behind cloud-identity intrusion attempts. DCV maps GuardDuty's RDPBruteForce, SSHBruteForce, and RDS SuccessfulBruteForce findings as protocol-specific detections that fire on attack-surface-specific abuse patterns. GCP SCC's BRUTE_FORCE_SSH covers the GCP equivalent, with Azure MFA policies flagged as the preventive baseline. T1110 is one of the few techniques where high-fidelity signature detections exist out of the box.
DCV maps 42 cloud-native detections to T1110 across 3 cloud providers, drawn from AWS Config Rules, AWS GuardDuty, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle, GCP Security Command Center and Microsoft Defender for Cloud.
T1110 is part of MITRE ATT&CK TA0006 Credential Access: How adversaries steal credentials, account names and passwords.
CloudSigma ships 4 validated Sigma rules for T1110 across AWS CloudTrail, Azure Activity, GCP Audit Logs and ModSecurity. Each rule is validated against its source SIEM dialect before publication.