A seemingly straightforward problem: “What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.” But I’m stuck and the hint is garbage. “Get-WinEvent can show us the specific records and how many there are right?”
Normally I would just figure this out but I’ve been at this for 4 hours and the closest I can get is using:
Get-WinEvent -FilterHashtable @{
ProviderName = ‘Microsoft-Windows-Security-Auditing’
LogName = ‘Security’
Id = 4625
} | Select-Object -ExpandProperty Message
In desperation I also tried dumping the list of ActiveDirectory users with:
- Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName
And trying each as an answer which still hasn’t gotten me the answer.
Please help!!