Triggers

  • A host attempts a suspicious amount of authentication requests using a large number of user accounts with some of them failing because the accounts don’t exist and others failing because the password is incorrect
  • The threat score is driven by the number of failed authentications for accounts that exist
  • The certainty score is driven by the regularity in the frequency of failed authentications for accounts that exist

Possible Root Causes

  • The host is part of targeted attack which aims to spread horizontally within the network by first discovering the existence of user accounts and simultaneously attempting to login to them using credentials from a common set of passwords
  • The host may be a portal (a shared resource) and the authentication requests are being performed on behalf of other systems inside or outside the organization

Business Impact

  • An account brute sweep to a Kerberos or AD server is an effective way for an attacker to determine what accounts are available inside an organization’s network and to simultaneously try to guess the accounts’ passwords
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep, a port scan, or even the widespread use of RPCs to many hosts, so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
  • Inquire whether the host should be utilizing the user accounts listed in the detection
  • Verify that the host on which authentication is attempted is not a shared resource as this could generate a sufficient variety of authentications to resemble an account brute sweep