detection.wiki

ATT&CK coverage › Technique

Brute Force T1110

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Events covered

13 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon3Network connection
Security-Auditing4624An account was successfully logged on.
Security-Auditing4625An account failed to log on.
Security-Auditing4634An account was logged off.
Security-Auditing4688A new process has been created.
Security-Auditing5152The Windows Filtering Platform blocked a packet.
Security-Auditing5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-Auditing5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-Auditing5156The Windows Filtering Platform has permitted a connection.
Security-Auditing5157The Windows Filtering Platform has blocked a connection.
Security-Auditing5158The Windows Filtering Platform has permitted a bind to a local port.
Security-Auditing5159The Windows Filtering Platform has blocked a bind to a local port.

Authoring guide

Patterns shared across the 13 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (24 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
LogonType5eq 5Network, 10, 3
EventType4eq 4logon-failed, logged-in, Logon
src_ip4ne 2, eq 2, cidr_match 2-, 10.0.0.0/8, ::1/128, DstIpAddr
source.ip3is_not_null 2, ne 1127.0.0.1, ::1
user.domain2ne 2NT AUTHORITY
event.category2eq 2authentication
computer_name2is_not_null 2
Esql.failed_auth_count2ge 2100, 50
EventID2eq 1, in 14625, 4624
CommandLine2match 2 mssql , -x , --local-auth, ^PASS^, ^USER^
Esql.count_distinct_target_user_name1ge 12
Esql.count_distinct_user_name1ge 12
TargetUserType1ne 1NonInteractive
FailureCount1ge 1failureCountThreshold
SuccessCount1ge 1successCountThreshold

Top indicator values (59 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
EventTypeeqlogon-failed33
LogonTypeeqNetwork34
user.domainneNT AUTHORITY22
event.categoryeqauthentication25
src_ipeq-22
src_ipcidr_match192.168.0.0/1623
src_ipcidr_match172.16.0.0/1223
src_ipcidr_match::1/12824
src_ipcidr_matchfc00::/724
src_ipcidr_match127.0.0.0/824
src_ipcidr_match169.254.0.0/1624
src_ipcidr_matchfe80::/1024
src_ipcidr_match10.0.0.0/823
EventTypeeqlogged-in17
source.ipne::117
source.ipne127.0.0.118
Esql.failed_auth_countge1001
Esql.count_distinct_target_user_namege21
Esql.count_distinct_user_namege21
Esql.failed_auth_countge501

Common exclusions (17 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
Statusin0xc00001332
Statusin0xc000005e2
Statusin0xc000015b2
Statusin0xc00000dc2
Statusin0xc00001922
userwildcard*$1
user.ideqS-1-0-01
userwildcardANONYMOUS LOGON1
Statuseq0xC000015B1
Statuseq0XC000005E1
Statuseq0XC00001921
userwildcard-1
Statuseq0XC00001331
TargetUserSideqS-1-0-01
userends_with$1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 3 rules

Kusto Query Language 6 rules