• An internal host is making many login attempts on an internal system, behavior which is consistent with a brute-force password attack
  • Such attacks can be performed via different protocols (e.g. RDP, VNC, SSH) and may also be a Heartbleed attack (e.g. memory scraping)

Possible Root Causes

  • An infected host or a malicious insider in control of the host is trying to guess passwords on another internal system
  • A misconfigured host is constantly trying to connect to one or more other internal systems

Business Impact

  • Successful harvesting of account credentials (usernames and password) of other accounts, particularly more privileged accounts, is a classic progression of a targeted attack
  • Even if triggered due to a misconfiguration, the identified misconfiguration is creating significant stress on the target system and should be cleaned up

Steps to Verify

  • Determine whether the internal host in question should be connecting to the target host; if not, this is likely malicious behavior
  • Determine which process on the internal host is sending traffic to the internal IP address(es) and ports; in Windows systems, this can be done using a combination of netstat and tasklist commands
  • Verify that the process should be running on the infected host and whether the process is configured correctly