Detect Password Spraying With Logs Analysis

In recent years, the press has widely covered high-profile cases related to threats and incidents caused by malicious software. Attackers have become more inventive.

This article describes how to detect the sprinkling of passwords using the Windows Event Log Viewer Trash. Password spraying is when an attacker tries many different user accounts with the same password. You should pay special attention to the event ID of Windows 4625 to detect the sprinkling of passwords. This means that the account was unable to log on to the system. To detect the sprinkling of passwords, we want to map the same source network address or the same workstation name as when logging into the network with 5 valid user names, but passwords that were incorrect within 24 hours.

The advantage of the making of the correlation rules is that you get a very low false positive rate. The main systems you will need to tune out of this rule.

More.

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.

News

Detect Password Spraying With Logs Analysis

Read Next

USA Passes Take It Down Act: Fighting NCII at the Federal Level

Operation Artemis: FBI Arrests 22 in International Sextortion Crackdown

Digital Forensics Corp. Launches Pro Bono Initiative to Combat Sextortion Targeting Minors

Digital Forensics Corp. Launches 2025 Sextortion Study to Uncover the True Scope of a Growing Cybercrime