Multiple Login Failures from a Single User
Objective:
The objective of this use case is to identify brute force attacks that could be dictionary attacks or password spraying attacks.
Scenarios for identifying a brute-force attack is
When multiple login failures occur 10 times from the same username within a specified time frame (e.g., 5 minutes).
Let's assume the user is trying to log in to a Windows service but is failing; the most common failures are
0xC000006A - The username is valid, but the password entered is incorrect
0xC0000064- The username does not exist in the system.
0xC0000234- The user account is locked due to multiple failed login attempts.
0xC0000071- The user's password has expired and needs to be changed
0xC0000072 - The account is disabled and cannot be used for login.
The service shows incorrect credentials as an error.
Analysts can see the error codes, event ID, and logon type in the logs and identify the failure types.
But the main motto of analysts is to detect attacks,
Let's talk about Scenarios.
Scenario 1:
There is a huge number of failures from the same user in 5 minutes; assume the failure count is 1000
Analysts need to identify the reason for the 1000 count from the same user,
Here, there are chances for the attacker to use the same username against multiple passwords, or it can be the genuine login from the user, but 1000 failures are counted because of some misconfiguration because few services would authenticate with the user credentials.
Users will not know that these many authentications are coming,
Any how that needs to be identified,
Clues :
1000 authentication failures on multiple domain controllers,
5 Failures because of 6A error
event ID is 4625,
logon type 3(Network logins) ,
followed failures because of 234( user account lockout).
there is also a password change event,
There are successful logins after 10 minutes, followed by failures.
Analysis:
Follow the incident response, raise an incident with the team, or check with a user about these failures to determine whether these are genuine or not.
Update from the user.
The user gave an update that he forgot his network credentials, and the user also gave an update that he only tried 3 to 5 times, and he changed the password.
Analysts need to do further analysis; in the logs,
Please refer to the reason for domain controller failures on multiple DCs here.
Here the failures on multiple domain controllers are observed; in the 5 minutes, check followed logs, there are successful logins, only one account lockout, and a password change event; it is clear that these are network credentials that can be towards some shared network, and
The user confirmed that these are genuine failures,
There is no risk, but when it comes to security threats, there are also chances that, at the same time, the attacker tried his user name against multiple passwords,
Assign to the relevant team, for instance, the Windows team, further investigation on many failures because this incident is subjective to security.
Analysts can suspect these are because of some process login automatically, and DC's were not because of sync.
But there should be confirmation of these failures,
Windows team Update:
These failures are because DC sync did not happen around the time frame; we observed that the password got changed; you may close the incident.
After receiving an update from the Windows team, please close the incident.
Crystals:
If the other users also get more failure counts, ask the Windows team to check what service is causing these many failures and ask them to raise a case with OEM for confirmation.
