Brute Force T1110

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Events covered

22 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4634An account was logged off.
Security-AuditingEvent ID 4648A logon was attempted using explicit credentials.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4723An attempt was made to change an account's password.
Security-AuditingEvent ID 4724An attempt was made to reset an account's password.
Security-AuditingEvent ID 4768A Kerberos authentication ticket (TGT) was requested.
Security-AuditingEvent ID 4771Kerberos pre-authentication failed.
Security-AuditingEvent ID 4776The domain controller attempted to validate the credentials for an account.
Security-AuditingEvent ID 5152The Windows Filtering Platform blocked a packet.
Security-AuditingEvent ID 5154The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
Security-AuditingEvent ID 5155The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.
Security-AuditingEvent ID 5157The Windows Filtering Platform has blocked a connection.
Security-AuditingEvent ID 5158The Windows Filtering Platform has permitted a bind to a local port.
Security-AuditingEvent ID 5159The Windows Filtering Platform has blocked a bind to a local port.
Defender-DeviceLogonEventsLogonSuccessLogon succeeded
Defender-DeviceLogonEventsLogonFailedLogon failed
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 45 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (73 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID26eq 24, in 24625, 4624, 4768, 4776, 4648
Channel17eq 17, in 17
eventtype17eq 17
LogonType13eq 12, ne 1Network, Interactive, RemoteInteractive, Unlock
Status11eq 10, in 10x12, 0x18, 0x6, 0xC000006A, 0xc0000064
TargetUserName11ne 10, eq 1*$, Administrator
isOutlier10eq 101
src_ip8ne 4, cidr_match 2, eq 2, is_not_null 2-, 10.0.0.0/8, 127.0.0.0/8, 127.0.0.1, ::1
unique_accounts8gt 830
EventType4eq 3, in 1logon-failed, LogonFailed, LogonSuccess, logged-in
CommandLine3contains 3, match 1 --local-auth, -d , -h , -a , -m 1000
security_result.action3eq 3BLOCK, ALLOW
.252gt 2
AccountType2eq 2User
Esql.failed_auth_count2ge 2100, 50

Top indicator values (154 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4625
1215
EventIDeq
4768
413
EventIDeq
4776
45
EventIDeq
4624
326
EventIDeq
4648
25
EventIDeq
4771
22
TargetUserNamene
*$
1014
isOutliereq
1
1018
LogonTypeeq
Network
939
LogonTypeeq
Interactive
24
unique_accountsgt
30
88
EventTypeeq
logon-failed
33
security_result.actioneq
BLOCK
33
security_result.actioneq
ALLOW
22
AccountTypeeq
User
29
Statuseq
0x12
22
Statuseq
0x18
22
Statuseq
0x6
23
Statuseq
0xC000006A
22
Statuseq
0xc0000064
22
TargetDomainNamene
NT AUTHORITY
25
Target_User_Namene
*$
22
event.categoryeq
authentication
25
process_namene
-
22
src_ipcidr_match
10.0.0.0/8
24
src_ipcidr_match
127.0.0.0/8
26
src_ipcidr_match
169.254.0.0/16
25
src_ipcidr_match
172.16.0.0/12
24
src_ipcidr_match
192.168.0.0/16
24
src_ipcidr_match
::1/128
24

Exclusions (41 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
src_ipcidr_match
10.0.0.0/8
3
src_ipcidr_match
127.0.0.0/8
3
src_ipcidr_match
169.254.0.0/16
3
src_ipcidr_match
172.16.0.0/12
3
src_ipcidr_match
192.168.0.0/16
3
src_ipcidr_match
::1/128
2
src_ipcidr_match
fc00::/7
2
src_ipcidr_match
fe80::/10
2
Statusin
0xc000005e
2
Statusin
0xc00000dc
2
Statusin
0xc0000133
2
Statusin
0xc000015b
2
Statusin
0xc0000192
2
TO_IP(source.ip)cidr_match
127.0.0.0/8
2
TO_IP(source.ip)cidr_match
::1
2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Elastic 3 rules

Splunk 25 rules

Kusto 8 rules

YARA-L 3 rules