CAPEC-600

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: High Severity: High
Credential Stuffing

Description

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

Prerequisites

The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.

The system/application does not have a sound password policy that is being enforced.

The system/application does not implement an effective password throttling mechanism.

The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.

Mitigations

Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.

Create a strong password policy and ensure that your system enforces this policy.

Ensure users are not reusing username/password combinations for multiple systems, applications, or services.

Do not reuse local administrator account credentials across systems.

Deny remote use of local admin credentials to log into domain systems.

Do not allow accounts to be a local administrator on more than one system.

Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.

Monitor system and domain logs for abnormal credential access.

Skills Required

[Low] A Credential Stuffing attack is very straightforward.