RSS Feed

🤔 How Do I Spot Bruteforcing Activity?

Created: 24.06.2023


Event logs

There will be no shortage of 4625 events (unsuccessful login) showing up in the logs. Since this attack is most likely happening over the network, the logon type will be 3 (often SMB or RDP). Now, if you give those events a once-over, you will be able to figure out whether we’re up against a rather pesky password spray attack or an attack on a single account.

Should you spot those events trotting out C0000064 error codes (user doesn’t exist) along with C000006A (wrong password) - you can bet your bottom dollar 💵 that’s a password-spraying attack. However, should you see the same username popping up time and again, offering only C000006A error code as a company, then, darling, you are in the midst of a targeted attack. Congrats! 🎉


Expand… Something here