VulnTech Brute Force Attack

A brute force attack use case focuses on detecting repeated authentication failures against a single account, a single source IP, or multiple accounts within a short time window.
SOC teams must detect brute force attempts early because they often lead to account compromise, lateral movement, and privilege escalation.
This chapter explains the brute force use case in full depth, including detection logic, log artifacts, SIEM rules, EDR support, investigation workflow, and practical examples from Windows, Linux, cloud, and network environments.

What Is a Brute Force Attack

A brute force attack is an authentication attack where the adversary repeatedly attempts different passwords to gain access to an account or host.
These attempts appear as a sequence of failed logins followed by a possible successful login.

Common targets:

Windows Domain Accounts
Linux SSH Accounts
VPN Portals
Web Applications
RDP Servers
Cloud IAM Accounts (AWS/Azure/GCP)

Brute force attempts always generate high-volume failed authentication logs, and sometimes a final successful log.

Indicators of a Brute Force Attack

Basic Indicators

Rapid sequence of failed logins
Multiple failures from same IP
Multiple failures against same user
Failures across many users from one IP
Failure → success sequence
Authentication attempts outside business hours

Strong Indicators

Failures across multiple protocols (RDP, SMB, SSH)
Username enumeration
Attempt from foreign or unusual geolocation
Attempts targeting privileged accounts
Attempts coming through TOR or VPN exit nodes

These patterns help define accurate detection rules.

Log Sources Required for Detection

Brute force detection depends on multiple log sources across the environment.

Windows

Event ID 4625 (Failed logon)
Event ID 4624 (Successful logon)
Relevant fields:
- LogonType
- AccountName
- Source IP
- Status/Substatus

Linux (SSH)

/var/log/auth.log
Indicators:
- Failed password for user
- Invalid user
- Accepted password

VPN / Firewalls

Authentication failures
Repeated incorrect credentials
Source IP and geo information

Cloud Platforms

AWS CloudTrail
- ConsoleLogin with Failure
Azure Sign-in Logs
GCP Login Audit Logs

Web Applications / SSO

Repeated login POST requests
Repeated incorrect password status codes

SIEM Detection Logic

Brute force detection relies on threshold-based correlation.

1. Multiple Failed Logins From One IP

Logic:

More than X failed logins
From same Source IP
Within Y minutes

Example logic:

count(EventID=4625 by SourceIP over 5 minutes) > 20

2. Multiple Failed Logins for One User

Logic:

count(failed_logons where TargetUser="john") > 10 within 5 minutes

3. Multiple Failed Logins Across Many Users

Indicates spray attacks:

one IP → many users → repeated failures

4. Failure Followed by Success

Classic compromise pattern:

4625 (many) → 4624 (success) from same IP targeting same user

5. Unusual Geo Login Attempts

Example:

Login attempts from country not in user’s profile

6. Privileged Account Brute Force

Monitor:

Domain Admin
Service accounts
Root/Administrator
Cloud admin accounts

These should always trigger high-severity alerts.

SIEM Rule Examples (Practical)

Windows Rule Example

FailedLogons = count(EventID=4625 by SourceIP over 5 minutes)
where FailedLogons > 15

SSH Brute Force Rule Example

count("Failed password" by SourceIP over 3 minutes) > 20

Password Spray Rule Example

distinct(TargetUser) > 10 AND same SourceIP in 5 minutes

Cloud Brute Force Detection (AWS)

ConsoleLogin Failure > 5 from same IP within 2 minutes

Sample Query Examples (Generic SIEM)

KQL (Microsoft Sentinel)

SecurityEvent
| where EventID == 4625
| summarize Attempts=count() by IPAddress, TargetUser, bin(TimeGenerated, 5m)
| where Attempts > 15

Splunk

index=windows EventCode=4625
| stats count by Account_Name, Source_Network_Address, span=5m
| where count > 15

Elastic

event.code:4625
| stats count() by source.ip, user.name
| where count > 20

These queries catch brute force attempts across platforms.

Investigation Workflow

Step 1 — Verify Volume of Failed Attempts

Check frequency and pattern.

Step 2 — Identify Target

Single user
Multiple users
Privileged accounts

Step 3 — Analyze Source IP

Look for:

TOR exit nodes
Hosting providers
Foreign locations
VPN IPs
Known malicious IPs

Enrich with:

VirusTotal
GreyNoise
OTX

Step 4 — Validate Success After Failures

If success occurred:

Immediate escalation
Password reset
Session termination

Step 5 — Check Lateral Movement Indicators

After successful login, look for:

LogonType 3
SMB connections
PsExec usage
Remote PowerShell

Step 6 — Determine if Attack Is Automated

Indicators:

Matching timing intervals
Username enumeration
Spray patterns

Step 7 — Containment

Block IP
Enforce MFA
Reset compromised account
Review access logs

Real SOC Scenarios

Scenario 1 — SSH Brute Force

Logs:

100 failed passwords in 2 minutes
Source IP: VPS hosting provider

Action:

Block IP
Check if any successful login
Disable password auth

Scenario 2 — Password Spray Against Office365

Logs:

1 failure per user
50 users targeted
From same IP

Action:

Mark as password spray
Increase throttling
Enforce MFA

Scenario 3 — RDP Brute Force on Windows Server

Sequence:

multiple 4625 → 4624 success  
LogonType 10 (RDP)

Action:

Immediate host isolation
Reset credentials
Review lateral movement

Intel Dump

Brute force attacks generate repeated failed authentication attempts across Windows, Linux, VPN, and cloud systems.
Key indicators include high-volume failures, failure-to-success events, username enumeration, and spray patterns.
SIEM rules use thresholds and correlation windows to detect suspicious login behavior.
Analysts investigate the source IP, target accounts, timing patterns, and post-authentication behavior.
Compromise occurs when failure burst is followed by a successful login from the same IP.
Response requires blocking the source, resetting credentials, enforcing MFA, and checking for lateral movement.