Forum Discussion

Jeroen_van_der_Broek's avatar
Jeroen_van_der_Broek
Copper Contributor
Feb 27, 2023

Suspected brute-force attack and None of the passwords attempted where previously used passwords

Suspected brute-force attack (Kerberos, NTLM) and None of the passwords attempted where previously used passwords.

 

This makes me wonder. It knows it is a password that was not used before. But did the account try to login 100x times with this password or did it do 100x times a try with 100 passwords that where not used before.


If it is the 100 tries with just 1 never used password it is possible just someone who made a typo in a script (password) for example.

 

If it was 100 different password it is a much bigger issue.

 

I can not find this the documentation how i should read this. I am also not aware if there is a option to figure this out (kusto query for example).

 

Anyone a idea?

  • Matthias_VDB's avatar
    Matthias_VDB
    Iron Contributor
    Hi,

    Seems logic this is 100 attempts with 100 different passwords.
    If it was 100 times the same password against the same account, this is probably not considered a brute-force attack... This wouldn't make any sense... If the password doesn't work the first time, no attacker will try the same password 99 times more on the same account.
    If it would be a password-spray attack, then an attacker might use the same password against 100 accounts.

    Your message also says: "none of the passwordS"...

    So it is fair to assume we are talking about a real brute-force attack where an attacker is trying 100 different passwords against the same account.

Resources