| ID | Name |
|---|---|
| ATAGS-T1112.001 | TC Brute Forcing |
| ATAGS-T1112.002 | Credential Stuffing |
| ATAGS-T1112.003 | Password Cracking |
| ATAGS-T1112.004 | Password Guessing |
| ATAGS-T1112.005 | Password Spraying |
Threat Actors with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, Threat Actors may opt to systematically guess the password using a repetitive or iterative mechanism. Threat Actors may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.