Synopsis
Description
An abnormally high amount of user account login attempts were seen on a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.
Variations
Successful External Login Password Spray on a Domain Controller
Synopsis
Description
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.
Successful External Login Password Spray on a sensitive server
Synopsis
Description
An abnormally high amount of user account login attempts were seen on a sensitive server within a short period of time.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.
Successful External Login Password Spray
Synopsis
Description
An abnormally high amount of user account login attempts were seen on a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.
External Login Password Spray on a Domain Controller
Synopsis
Description
An abnormally high amount of user account login attempts were seen on a domain controller within a short period of time.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each login attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful login attempts and the ratio of login success versus login failures.