There will be no shortage of
4625 events (unsuccessful login) showing up in the logs. Since this attack is most likely happening over the network, the logon type will be
3 (often SMB or RDP). Now, if you give those events a once-over, you will be able to figure out whether we’re up against a rather pesky password spray attack or an attack on a single account.
Should you spot those events trotting out
C0000064 error codes (user doesn’t exist) along with
C000006A (wrong password) - you can bet your bottom dollar 💵 that’s a password-spraying attack. However, should you see the same username popping up time and again, offering only
C000006A error code as a company, then, darling, you are in the midst of a targeted attack. Congrats! 🎉