Need assistance on getting login failures to group by username

A seemingly straightforward problem: “What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.” But I’m stuck and the hint is garbage. “Get-WinEvent can show us the specific records and how many there are right?”

Normally I would just figure this out but I’ve been at this for 4 hours and the closest I can get is using:

Get-WinEvent -FilterHashtable @{

ProviderName = ‘Microsoft-Windows-Security-Auditing’
LogName = ‘Security’
Id = 4625
} | Select-Object -ExpandProperty Message

In desperation I also tried dumping the list of ActiveDirectory users with:

  • Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName
    And trying each as an answer which still hasn’t gotten me the answer.

Please help!!

Just giving a new hint in case you have heard of this. try to get the TargetUserName when you try to filter it. Because on the Windows Event ID what you are looking is the TargetUserName not the SamAcountName.

Hope this works.

Maybe this will help: Help with HTB academy - INTRODUCTION TO WINDOWS COMMAND LINE - #17 by hojat