In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential Brute-force Password attack, understand the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policies to generate logon failure events must be enabled on all Domain Controllers. This includes policies for Audit Kerberos Authentication Service (for Event IDs 4768, 4771) and Audit Credential Validation (for Event IDs 4625, 4776).

Steps to follow  

The process for handling a Brute-force Password attack involves detection, immediate remediation, and prevention.

Part 1: Detecting the attack  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Brute-force Password Detection.

2. This report shows all detections of a high volume of logon failures for a specific user account originating from a single machine.

Part 2: Understanding the detection criteria  

ADAudit Plus detects a potential password brute-force attack based on the following pattern:

• Description: An attacker makes multiple login attempts for a particular user from the same machine in a short period of time, attempting to guess the correct password.

• Detection Logic:

• Any of the following four events are detected 10 times within 5 minutes from the same machine for the same username.

• Event 1:

• Event code equals 4771 (Kerberos pre-authentication failed).

• Failure code equals 0x18 (Bad password).

• Account name does not end with $.

• Event 2:

• Event code equals 4625 (An account failed to log on).

• Sub Status equals 0xC000006A (Wrong password).

• Account name does not end with $.

• Event 3:

• Event code equals 4768 (A Kerberos authentication ticket (TGT) was requested).

• Result code equals 0x18 (Bad password).

• Account name does not end with $.

• Event 4:

• Event code equals 4776 (The computer attempted to validate the credentials for an account).

• Result code equals 0xC000006A (Wrong password).

• Logon Account does not end with $.

Part 3: Immediate remediation  

If this activity is detected, act immediately to protect the targeted account.

1. Lock the Targeted Account: Immediately lock the user account that is being targeted to prevent a successful logon. This may happen automatically if a strong account lockout policy is in place.

2. Block the Source IP Address: The event logs and the ADAudit Plus report will show the source machine/IP address. Block this IP address at your network firewall to stop the attack.

3. Investigate the Source: If the source IP address is internal, it indicates a compromised machine on your network. Isolate the machine and perform a forensic analysis.

4. Notify the User and Reset Password: Contact the legitimate user of the targeted account to inform them of the activity. After the attack has been stopped, force a secure password reset for the account.

Validation and confirmation  

• After blocking the source IP and locking the account, the Brute-force Password Detection report in ADAudit Plus should show that the attack has ceased.

• The targeted user account should be confirmed as locked in Active Directory Users and Computers.

• The user should be able to log in successfully only after their password has been reset by an administrator.

Tips  

The following best practices can help prevent and mitigate brute-force password attacks.

Strong Account Lockout Policies  

• This is the most direct defense. Configure a Group Policy to automatically lock user accounts after a small number of failed logon attempts (e.g., 5 attempts) for a specific duration (e.g., 30 minutes or until an admin unlocks it).

Enforce Strong Password Policies  

• Require long, complex passwords that include a mix of uppercase letters, lowercase letters, numbers, and symbols. This dramatically increases the difficulty of guessing a password.

Secure Internet-Facing Services  

• Implement Multi-Factor Authentication (MFA) on all external-facing services like VPNs and OWA. Even if an attacker guesses a password, they cannot log in without the second factor.

Network Security  

• Use an Intrusion Prevention System (IPS) to detect and block brute-force activity at the network perimeter.

• Restrict access to management ports (like RDP and WinRM) from the internet. All administrative access should be performed over a secure, MFA-protected VPN.

Related topics and articles