Last reviewed:
T1110.001 is password guessing against live services: SSH and RDP daemons, database logins, identity-provider portals. It stays popular because it keeps working. DCV's detection set is unusually concrete here: GuardDuty's UnauthorizedAccess:EC2/SSHBruteForce and RDPBruteForce findings watch instance-level guessing, the CredentialAccess:RDS family flags failed-login storms and the successful login that follows them, and Chronicle's BRUTE_FORCE rules cover GCP. The dangerous event is not the thousandth failure; it is the success immediately after it.
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:
* SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) * SNMP (161/UDP and 162/TCP/UDP)
In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.. Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.
In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.
DCV maps 13 detections across 2 cloud providers to T1110.001. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Security Hub | AWS | 7 | 0.80 |
| AWS GuardDuty | AWS | 5 | 0.92 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma has coverage metadata for 13 T1110.001 rules across 6 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1110.001, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1110.001 is password guessing against live services: SSH and RDP daemons, database logins, identity-provider portals. It stays popular because it keeps working. DCV's detection set is unusually concrete here: GuardDuty's UnauthorizedAccess:EC2/SSHBruteForce and RDPBruteForce findings watch instance-level guessing, the CredentialAccess:RDS family flags failed-login storms and the successful login that follows them, and Chronicle's BRUTE_FORCE rules cover GCP. The dangerous event is not the thousandth failure; it is the success immediately after it.
DCV maps 13 cloud-native detections to T1110.001 across 2 cloud providers, drawn from AWS GuardDuty, AWS Security Hub and GCP Chronicle.
T1110.001 is part of MITRE ATT&CK TA0006 Credential Access: How adversaries steal credentials, account names and passwords.
CloudSigma ships 6 validated Sigma rules for T1110.001 across AWS CloudTrail, Azure Activity, Entra ID Sign-in, GCP Audit Logs, Okta System Log and Windows Security. Each rule is validated against its source SIEM dialect before publication.