T1110: Brute Force

T1110 falls under the Credential Access tactic (TA0006). The technique covers any method an adversary uses to systematically guess or crack passwords to gain access to accounts. This includes online attacks against live authentication services (password guessing, spraying, stuffing) and offline attacks against captured credential material (hash cracking with tools like Hashcat and John the Ripper). The technique spans every platform in the ATT&CK framework: Windows, Linux, macOS, ESXi, Containers, IaaS, Identity Provider, Network Devices, Office Suite, and SaaS.

MITRE ATT&CK v18 documents an extensive list of threat groups using T1110, including APT28 (GRU), APT29, APT39, APT41, Lazarus Group, Turla, and virtually every major ransomware operation. The technique is notable for being simultaneously one of the oldest attack methods in computing and one of the most effective in the modern threat landscape — the simplicity of trying passwords against login pages has not diminished its effectiveness because human password behavior has not fundamentally changed.

The Four Sub-Techniques

T1110.001 — Password Guessing

Adversaries systematically guess passwords for target accounts by trying common passwords, default credentials, or passwords derived from reconnaissance (birthdays, pet names, company names with year patterns like CompanyName2025!). Password guessing is an online attack against live authentication services — SSH, RDP, SMB, LDAP, Kerberos, web applications, VPNs, and cloud services. Commonly targeted services include SSH (port 22), RDP (port 3389), SMB (port 445), FTP (port 21), MySQL (port 3306), MSSQL (port 1433), and web login portals.

Password guessing risks triggering account lockout policies, making it the noisiest sub-technique. However, in default environments, LDAP and Kerberos connection attempts are less likely to trigger events compared to SMB, which creates Windows Event ID 4625 (logon failure). The Emotet malware spread via Wi-Fi by brute-forcing wireless network passwords using the Windows wlanAPI interface. Healthcare organizations are specifically targeted through password guessing against patient portals and administrative interfaces.

T1110.002 — Password Cracking

Adversaries crack password hashes offline using tools like Hashcat, John the Ripper, and rainbow tables to recover plaintext passwords from captured credential material. Hash sources include NTLM hashes from OS Credential Dumping (T1003), Active Directory ntds.dit database extraction, network device configuration files, Kerberoasting ticket hashes, and database credential stores. Cracking occurs on adversary-controlled systems outside the target network, making it invisible to the victim's monitoring.

The Picus Blue Report 2025 found that 46% of environments had at least one password hash that could be cracked and converted to cleartext — meaning nearly half of organizations have passwords weak enough to be recovered through offline cracking. Cisco Talos documented Volt Typhoon (Salt Typhoon) using password cracking as part of their credential access operations against telecommunications infrastructure. Modern GPU hardware can test billions of hash combinations per second, making short or common passwords recoverable within minutes regardless of the hashing algorithm used.

T1110.003 — Password Spraying

Adversaries try a small number of commonly used passwords against a large number of accounts before moving to the next password. This "low-and-slow" approach avoids account lockout policies by staying below the failure threshold for any individual account. APT28 (Fancy Bear/GRU) conducts distributed password spray campaigns at approximately four authentication attempts per hour per account over weeks.

Storm-0940, a Chinese threat actor, uses the CovertNetwork-1658 botnet (also called Quad7) comprising compromised SOHO routers to conduct distributed password spraying at scale. Microsoft documented that in multiple cases, Storm-0940 used compromised credentials obtained from CovertNetwork-1658 on the same day they were sprayed — evidence of a close operational relationship between the botnet operators and the espionage group. Midnight Blizzard (APT29) breached Microsoft's corporate environment in January 2024 by spraying passwords against a legacy non-production test tenant account that lacked MFA. The compromised account had ownership of a legacy OAuth test application with elevated access to the corporate environment, enabling the attackers to access security and legal team email inboxes. A massive wave of password spraying attacks in 2024 prompted both Cisco and Okta to issue customer warnings, with attacks originating from TOR exit nodes and residential proxy networks. Silk Typhoon targeted IT supply chains through password spraying as documented in March 2025.

T1110.004 — Credential Stuffing

Adversaries use username/password pairs stolen from previous data breaches to attempt access across different services, exploiting the tendency of users to reuse passwords. A 2025 mega-leak exposed approximately 16 billion credentials from major platforms, and research suggests that about 94% of passwords are reused across sites. The success rate of credential stuffing is estimated at 0.1% to 4% — low per attempt, but at scale across millions of credential pairs, this translates to thousands of compromised accounts per campaign.

The compromised credentials volume rose 160% in early 2025 according to tracking data. TrickBot's rdpScanDll module specifically performs RDP brute force and credential stuffing against telecommunication services. Verizon's 2025 DBIR found that 88% of web application attacks involved the use of stolen credentials. Credential stuffing is particularly dangerous against organizations that do not enforce MFA, as a single valid credential pair grants full access. The LabHost phishing platform, taken down by the FBI, exposed 42,000 phishing domains that had been used to steal 500,000 credit cards and over one million credentials — all of which became fuel for subsequent credential stuffing campaigns.

How Brute Force Attacks Work

The Password Spray Pipeline

Modern password spraying is an industrialized process. The attacker first harvests target email addresses from LinkedIn, company websites, third-party breaches, and OSINT tools. They build a targeted password list incorporating seasonal patterns (Spring2025!, Summer2025!), company name variations (CompanyName123), and the perennially popular defaults (Password1, Welcome1, 123456). The spray is distributed across hundreds or thousands of source IP addresses — using botnets (CovertNetwork-1658), residential proxies, or cloud infrastructure — to prevent IP-based blocking. Each source tries one or two passwords per account per hour, staying below lockout thresholds. Compromised credentials are validated and then handed off to operators for exploitation, sometimes within the same day.

Offline Password Cracking

Once an adversary obtains password hashes (through credential dumping, Kerberoasting, or database compromise), cracking occurs entirely on attacker-controlled hardware with no network interaction that defenders can monitor. Modern GPU rigs running Hashcat can test billions of NTLM hash combinations per second. A six-character lowercase password (308 million possibilities) falls in under a second. Even eight-character passwords with mixed case and numbers can be cracked within hours. The economics favor the attacker: cloud GPU instances make high-performance cracking accessible to anyone willing to pay a few dollars per hour. The defensive threshold is password length and complexity — truly random 16+ character passwords are effectively uncrackable with current hardware, but the Picus data showing 46% of environments with crackable hashes suggests that threshold is not being met.

Bypassing Location-Based Controls

MITRE ATT&CK v18 specifically documents that adversaries who succeed in guessing a password but fail to log in due to location-based conditional access policies may change their infrastructure until they match the victim's geographic location, thereby bypassing those policies. This adaptation means that geographic restrictions are a speed bump, not a wall. The CrowdStrike 2025 report documented China-nexus actors exploiting a bug in the Entra ID ROPC authentication flow to validate credentials without logging successful sign-in events — effectively making successful brute force invisible to standard monitoring.

Why Brute Force Matters

Brute force is the leading ransomware initial access vector. The Mandiant M-Trends 2025 Report documented brute force at 26% of ransomware initial infections, specifically citing password spraying against VPN devices with default credentials and high-volume RDP login attempts. This makes T1110 the single highest-priority technique for preventing ransomware initial access.

Password spraying is nearly invisible at low volume. A single failed login does not trigger alerts. When adversaries space attempts to one per account per hour across thousands of accounts, the activity mimics normal user behavior. CovertNetwork-1658 distributes spraying across 8,000+ compromised SOHO router IPs, making IP-based detection extremely difficult. Detection requires analyzing authentication patterns across the entire user population, not individual accounts.

Credential stuffing scales with breach data. Every new data breach adds fuel to credential stuffing attacks. The 160% increase in compromised credential volume in 2025 means attackers have an ever-growing library of valid credentials to test. Organizations cannot control whether their users reuse passwords on third-party services, making credential stuffing an external threat that internal controls alone cannot prevent.

Offline cracking is undetectable. Password cracking against captured hashes occurs entirely on adversary infrastructure. There is no network traffic to monitor, no failed login events to detect, and no lockout policies to trigger. The only defense is ensuring that passwords are strong enough to resist cracking and that hashes use salted, stretched algorithms (bcrypt, scrypt, Argon2) rather than fast algorithms like NTLM or MD5.

MFA bypass is evolving. While MFA remains the strongest defense against brute force, adversaries are adapting. AiTM phishing (T1557) relays MFA tokens in real-time. MFA fatigue attacks bomb users with push notifications until they approve. The CrowdStrike 2025 report documented authentication flow bugs that bypass MFA logging entirely. Organizations relying solely on push-based MFA face an evolving evasion landscape.

Real-World Case Studies

Case 1: Midnight Blizzard / APT29 — Microsoft Corporate Breach (January 2024)

In January 2024, Microsoft disclosed that the Russian state-sponsored group Midnight Blizzard (APT29) had breached their corporate environment through a password spraying attack. The attackers targeted a legacy non-production test tenant account that did not have MFA enabled. After compromising this account, they discovered it had ownership of a legacy OAuth test application with elevated access to the Microsoft corporate environment. This privilege chain allowed Midnight Blizzard to access the email inboxes of senior leadership, cybersecurity, and legal team members. The breach demonstrated that even the world's largest technology company was vulnerable to password spraying when a single test account lacked basic security controls. BeyondTrust noted that the compromised account was presumably not considered privileged or high-risk because it was in a test tenant — illustrating how attackers find privilege escalation pathways through accounts that defenders overlook.

Case 2: Storm-0940 / CovertNetwork-1658 — Botnet-Powered Spraying (2024)

Microsoft documented that the Chinese threat actor Storm-0940 uses the CovertNetwork-1658 botnet (Quad7), comprising over 8,000 compromised SOHO routers, to conduct distributed password spray attacks against think tanks, government organizations, NGOs, law firms, and defense industrial base targets across North America and Europe. The botnet's distributed nature means each compromised router makes only a few authentication attempts, making the activity appear as normal traffic from diverse residential IP addresses. Microsoft observed that Storm-0940 used compromised credentials on the same day they were obtained from CovertNetwork-1658 spraying — evidence of a tightly integrated supply chain between the botnet operators and the espionage group. After gaining access, Storm-0940 deployed credential dumping tools, installed proxy tools and RATs for persistence, and attempted data exfiltration.

Case 3: GRU Global Brute Force Campaign (2021–Ongoing)

In July 2021, NSA, CISA, FBI, and NCSC published a joint advisory documenting a global brute force campaign conducted by Russia's GRU (military intelligence). The campaign used a Kubernetes cluster to distribute password spraying and brute force attempts against hundreds of government and private sector targets worldwide. APT28 (Fancy Bear / GRU Unit 26165) conducts distributed password spray campaigns at approximately four authentication attempts per hour per targeted account over several days or weeks, targeting government and defense organizations. The campaign exploited Microsoft Office 365, VPN infrastructure, and other externally-facing authentication services. The GRU operators specifically targeted organizations in the energy, government, defense, logistics, and think tank sectors.

Case 4: Ransomware RDP Brute Force — The Industrial Scale (2024–2025)

RDP brute force remains the single largest initial access vector for ransomware deployment. Akira ransomware affiliates aggressively target exposed RDP and VPN services, gaining access through brute force or credential stuffing before escalating privileges, exfiltrating data, and deploying encryption. The TrickBot rdpScanDll module automated RDP brute force specifically targeting telecommunications services. Mandiant's analysis found that high-volume RDP login attempts with default or commonly used credentials was a consistent pattern across ransomware incidents. The 96 distinct ransomware groups active in the first half of 2025 (a 41% increase over 2024) all rely on the same fundamental initial access playbook, with brute force against exposed services as the primary entry point.

Case 5: 16 Billion Credential Mega-Leak — Credential Stuffing at Scale (2025)

A 2025 mega-leak exposed approximately 16 billion credentials from major platforms, representing the largest known aggregation of stolen credential data. This breach data does not remain contained — it becomes training data and wordlists for automated credential stuffing tools that test combinations across every login portal on the internet. The LabHost phishing-as-a-service platform, dismantled by the FBI, had accumulated 500,000 credit cards and over one million credentials across 42,000 phishing domains before its takedown. The JokerOTP tool was used in more than 28,000 attacks across 13 countries, intercepting 2FA codes to enable account takeover following successful credential stuffing. These cases demonstrate the industrial ecosystem that turns stolen credentials into compromised accounts at scale.

Detection Strategies

Data Source	Component	Detection Focus
User Account	User Account Authentication	Multiple accounts failing authentication within a time window; failures from single IP across accounts; failures against disabled/non-existent accounts
Application Log	Application Log Content	Web application login failures; cloud service authentication anomalies; VPN/RDP brute force patterns
Network Traffic	Network Traffic Flow	High-volume authentication traffic from single source; connections from known botnet/proxy infrastructure
Command	Command Execution	Execution of cracking tools (hashcat, john); suspicious use of credential testing tools; bulk LDAP queries
Active Directory	Active Directory Credential Request	Kerberoasting (TGS requests for service accounts); AS-REP roasting; unusual Kerberos authentication patterns
Cloud Logs	Authentication Logs	Entra ID sign-in logs; conditional access failures; impossible travel; authentication from anonymizing services

Splunk / SIEM Detection Queries

Password Spraying Detection — Identify distributed authentication failures across multiple accounts from the same source within a time window:

index=windows EventCode=4625 Logon_Type IN (3,10)
| bin _time span=1h
| stats dc(TargetUserName) as targeted_accounts count as total_failures
  values(TargetUserName) as users by Source_Network_Address _time
| where targeted_accounts > 10 AND total_failures < (targeted_accounts * 3)
| sort - targeted_accounts

Credential Stuffing / RDP Brute Force — Detect high-volume authentication attempts against RDP and other services:

index=windows EventCode=4625 Logon_Type=10
| bin _time span=30m
| stats count as failures dc(TargetUserName) as unique_users
  by Source_Network_Address _time
| where failures > 50
| lookup geoip Source_Network_Address OUTPUT country city
| table _time Source_Network_Address country city failures unique_users
| sort - failures

Cloud Password Spray Detection (Entra ID / M365) — Monitor Azure AD sign-in logs for distributed spraying patterns:

index=azure sourcetype="azure:aad:signin" ResultType!=0
| bin _time span=1h
| stats dc(UserPrincipalName) as targeted_accounts count as total_failures
  dc(IPAddress) as source_ips values(ResultDescription) as error_types
  by _time
| where targeted_accounts > 20 AND source_ips < 5
| sort - targeted_accounts

Successful Login After Spraying Pattern — Correlate failed authentication bursts with subsequent successful logins (the actual compromise):

index=windows (EventCode=4625 OR EventCode=4624) Logon_Type IN (3,10)
| eval status=if(EventCode=4625, "failure", "success")
| bin _time span=2h
| stats count(eval(status="failure")) as failures
  count(eval(status="success")) as successes
  values(eval(if(status="success", Source_Network_Address, null()))) as success_ips
  by TargetUserName _time
| where failures > 5 AND successes > 0
| sort - failures

Known Threat Actors

Nation-State Groups

Threat Actor	Brute Force Method	Notable Detail
APT28 / Fancy Bear (GRU)	Distributed password spraying	~4 attempts/hour/account over weeks; NSA/CISA 2021 advisory; Kubernetes-based infrastructure
APT29 / Midnight Blizzard	Password spraying	Breached Microsoft corporate (Jan 2024) via test tenant without MFA
Storm-0940 (China)	Botnet-powered password spraying	CovertNetwork-1658 / Quad7 botnet; same-day credential handoff; targets think tanks, government, defense
Silk Typhoon (China)	Password spraying + supply chain	Targeted IT supply chains (March 2025); Entra ID ROPC flow exploitation
APT41 / Brass Typhoon	Password guessing + cracking	Dual espionage/financial operations; brute force against exposed services
APT39 (Iran)	Password spraying	Iranian espionage targeting personal information and travel data
Lazarus Group (DPRK)	Password guessing	FASTCash operations targeting banking systems
Turla / FSB	Password guessing + cracking	Epic Turla operation; credential harvesting for long-term espionage
APT28 Nearest Neighbor	Wi-Fi brute force	Brute forced adjacent Wi-Fi networks for proximity-based access (Volexity, Nov 2024)

Ransomware and Cybercrime

Threat Actor	Primary Method	Notable Detail
Akira	RDP/VPN brute force + credential stuffing	Aggressively targets exposed SonicWall SSLVPNs; $244M proceeds
LockBit	RDP brute force	Affiliates brute force RDP as primary initial access
Qilin	VPN credential brute force	Fortinet CVEs + brute forced VPN credentials; 1,034 victims (2025)
TrickBot	RDP brute force (rdpScanDll)	Automated module targeting telecom services in US and Hong Kong
Emotet	Wi-Fi password brute force	Spread via wlanAPI wireless brute force
Scattered Spider	Credential stuffing + social engineering	Help desk impersonation combined with credential reuse exploitation
DragonForce	RDP + SimpleHelp RMM exploitation	White-label RaaS franchise; brute force of RMM tools

Defensive Recommendations

1. Enforce Multi-Factor Authentication Everywhere

MFA is the single most effective defense against all brute force sub-techniques. Midnight Blizzard's breach of Microsoft succeeded because a test account lacked MFA. Enforce MFA on all accounts without exception — including test accounts, service accounts, and break-glass accounts. Prefer FIDO2/WebAuthn hardware keys or authenticator apps over push-based MFA (which is vulnerable to fatigue attacks) and SMS-based MFA (which is vulnerable to SIM swapping).

2. Implement Intelligent Account Lockout

Configure account lockout policies that balance security with availability. Standard policies (e.g., lockout after 5 failures in 15 minutes) stop basic brute force but not slow password spraying. Implement progressive delays (increasing wait times after failures) and CAPTCHA challenges after threshold failures. For cloud services, leverage conditional access policies that block authentication from anonymizing services (TOR, known VPN providers, datacenter IPs).

3. Block Known Malicious Infrastructure

Maintain blocklists for known botnet infrastructure, TOR exit nodes, and residential proxy networks used for password spraying. Microsoft specifically identified CovertNetwork-1658 infrastructure used by Storm-0940. Subscribe to threat intelligence feeds that track brute force source IPs and integrate them into your authentication infrastructure's blocking rules.

4. Monitor Authentication at Population Scale

Deploy SIEM analytics that detect brute force patterns across your entire user population, not individual accounts. Alert on distributed failures (multiple accounts failing from the same IP), time-window clustering (spike in failures across accounts within an hour), geographic anomalies (authentication from unexpected countries), and failures against non-existent accounts (indicator of external enumeration). The CrowdStrike 2025 report documented authentication flow bugs that bypass standard logging — supplement standard logs with network-level monitoring.

5. Enforce Strong Password Policies

Follow NIST SP 800-63-3 guidelines: require minimum 14-16 character passwords (or passphrases), screen passwords against known breached password databases (Have I Been Pwned), eliminate mandatory rotation (which encourages weak patterns), and ban commonly used passwords. The 46% of environments with crackable hashes (Picus Blue Report 2025) indicates that password policies alone are insufficient without enforced complexity and breach checking.

6. Reduce Attack Surface

Minimize externally exposed authentication services. Place RDP behind VPN or zero-trust access rather than exposing port 3389 to the internet. Disable legacy authentication protocols (NTLM where possible, basic authentication in Exchange/M365). Remove or secure test accounts, service accounts, and break-glass accounts that may have weaker security controls. The Midnight Blizzard breach exploited a test tenant account — every account is a potential entry point.

7. Implement Passwordless Authentication

The most effective long-term defense against brute force is eliminating passwords entirely. Deploy FIDO2 security keys, Windows Hello for Business, or certificate-based authentication. Passwordless authentication eliminates the attack surface for password guessing, spraying, stuffing, and cracking simultaneously. Passkey adoption is accelerating across consumer and enterprise platforms.

8. Protect Password Hashes

Defend against offline cracking by protecting credential stores. Use salted, stretched hashing algorithms (bcrypt, scrypt, Argon2) instead of fast algorithms. Protect Active Directory's ntds.dit from extraction through proper access controls and monitoring. Enable Credential Guard on Windows to protect LSASS from credential dumping. Monitor for Kerberoasting and AS-REP roasting activity that harvests crackable hashes.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1110
Name	Brute Force
Tactic	Credential Access (TA0006)
Sub-Techniques	T1110.001 Password Guessing, T1110.002 Password Cracking, T1110.003 Password Spraying, T1110.004 Credential Stuffing
Platforms	Containers, ESXi, IaaS, Identity Provider, Linux, Network Devices, Office Suite, SaaS, Windows, macOS
Version	2.8 (Last Modified October 2025)
Data Sources	User Account Authentication, Application Log Content, Network Traffic Flow, Command Execution, Active Directory Credential Request
Related Techniques	T1078 Valid Accounts, T1133 External Remote Services, T1003 OS Credential Dumping, T1558 Steal or Forge Kerberos Tickets, T1557 Adversary-in-the-Middle

Sources and References

• Microsoft Threat Intelligence — Storm-0940 Uses Credentials from CovertNetwork-1658 Password Spray Attacks (October 2024): microsoft.com
• NSA/CISA/FBI/NCSC — Russian GRU Conducting Global Brute Force Campaign (July 2021): cisa.gov
• Mandiant / M-Trends 2025 — Brute Force as #1 Ransomware Initial Access Vector (26%): referenced via breachsense.com
• CrowdStrike — 2025 Global Threat Report: Entra ID ROPC Authentication Flow Exploitation: referenced via breachsense.com
• BeyondTrust — Password Spray Attacks: Midnight Blizzard Microsoft Breach Analysis (October 2025): beyondtrust.com
• Verizon — 2025 Data Breach Investigations Report (88% Web App Attacks Use Stolen Credentials): referenced via specopssoft.com
• Picus Security — Blue Report 2025 (46% of Environments with Crackable Hashes): picussecurity.com
• Dragos — Industrial Ransomware Analysis Q3 2025: dragos.com
• Rapid7 — Ransomware Trends 2025: 96 Active Groups, 41% Increase: rapid7.com
• Elastic Security Labs — Exploring Windows UAC Bypasses (Referenced for credential access chains): elastic.co
• MITRE ATT&CK — T1110 Brute Force (v18, October 2025): attack.mitre.org