T1110.003: T1110.003
Essential information
- MITRE technique ID
T1110.003- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 19:39
- Modified
- 22/06/2026 11:30
- Author / Source
- The MITRE Corporation
Aliases
Password Spraying
Platforms
windows macos linux Network Devices Containers IaaS ESXi Office Suite Identity Provider SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (16)
-
The MITRE Corporation Confidence 100
[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
DragonForce usesRansomware.Live Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (34)
-
Tickler usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ZeroCleare - S1151 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Linux Rabbit usesFamily The MITRE Corporation Confidence 100
[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RustyWater usesAlienVault Confidence 100
[RustyWater](https://attack.mitre.org/software/S9037) is a Rust-based implant used by [MuddyWater](https://attack.mitre.org/groups/G0069). Historically, [MuddyWater](https://attack.mitre.org/groups/G0069) has used PowerShell-based tools and [RustyWater](https://attack.mitre.org/software/S9037) reflects a shift in tooling, demonstrating better techniques for defense evasion and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RansomHub usesThe MITRE Corporation Confidence 100
[RansomHub](https://attack.mitre.org/software/S1212) is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versions that has been in use since at least 2024 to target organizations in multiple sectors…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Mamona usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
IOCONTROL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SHAPESHIFT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Bad Rabbit usesFamily The MITRE Corporation Confidence 100
[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad…
First seen 01/01/1970 · Last seen 16/11/5138 · -
BibiWiper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AsyncRAT - S1087 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HTTPSnoop usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (8)
-
AlienVault Confidence 100 3 CVEs 21 MITREs 2 Malwares 8 IOCs 2 Observables
-
AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
1 CVE 20 MITREs 10 Malwares 1 Observable 1 APT
-
8 MITREs 16 Observables 1 APT
-
25 MITREs 2 Malwares 9 Observables 1 APT
-
11 MITREs 1 Malware 9 Observables 1 APT
-
9 CVEs 23 MITREs 4 Malwares 14 Observables 1 APT
Vulnerabilities (CVE) (15)
Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …
- Attack vector
- Network
- Published
- 13/06/2023
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Multiple Hikvision products contain an improper authentication vulnerability that could allow a malicious user to escalate privileges on the system and gain …
- Attack vector
- NETWORK
- Complexity
- LOW
- EPSS
- 0.9410 (P99.9%)
- Published
- 06/05/2017
- Modified
- 22/04/2026
A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 04/04/2026
- Modified
- 09/04/2026
Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this …
- Published
- 28/01/2022
- Modified
- 21/12/2025
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 13/05/2026
- Modified
- 10/06/2026
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 17/03/2017
- Modified
- 22/04/2026
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways …
- Attack vector
- Network
- Published
- 30/05/2024
- Modified
- 04/03/2026
Course Of Action (3)
-
Password Policies mitigates
-
Multi-factor Authentication mitigates
-
Account Use Policies mitigates
Campaign (2)
-
Quad7 Activity uses
-
APT28 Nearest Neighbor Campaign uses
Tool (2)
-
MailSniper usesThe MITRE Corporation Confidence 100
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be…
-
CrackMapExec usesThe MITRE Corporation Confidence 100
[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted…