title: Password Guessing (T1110.001)
id: df00tech-t1110-001
status: experimental
description: "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Commonly targeted services include SSH, RDP, SMB, LDAP, Kerberos, FTP, MSSQL, MySQL, VNC, and web management portals. Threat actors such as APT28, APT29, Emotet, and tools like CrackMapExec have leveraged this technique extensively."
references:
  - https://attack.mitre.org/techniques/T1110/001/
  - https://df00tech.com/detections/T1110.001
author: df00tech
date: 2026/04/17
tags:
  - attack.t1110.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Misconfigured service accounts with expired or incorrect passwords generating repeated authentication failures against domain controllers
  - "Vulnerability scanners or penetration testing tools (Nessus, Qualys, Rapid7) performing authenticated scans that fail due to incorrect test credentials"
  - End users who have forgotten their passwords attempting to log in multiple times before calling the help desk
  - Automated IT processes or scripts using hardcoded credentials that have not been updated after a password rotation
level: medium