Multiple failed login attempts

windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when multiple failed logins are seen from the same IP address, indicating a potential brute force attack is occurring.

Strategy

Monitoring of Windows event logs where @evt.id is 4625 and grouping by @network.client.ip.

Triage & Response

Verify if {{@network.client.ip}} is expected to be attempting to access the network. It is possible for this detection to be triggered by services and applications attempting to authenticate with recently expired credentials.