This project demonstrates how Windows Security Event Logs can be used to detect and investigate brute-force authentication attempts. The focus is on identifying failed login activity recorded as Security Event ID 4625 and analyzing patterns that indicate credential abuse.
This type of investigation reflects common responsibilities of an entry-level SOC analyst, including log review, pattern recognition, and incident triage.
- Enable Windows auditing for failed logon attempts
- Simulate failed authentication activity in a controlled lab environment
- Identify failed login events using Windows Event Viewer
- Analyze event details to understand the cause of failures
- Detect patterns consistent with brute-force behavior
- Host OS: macOS
- Guest OS: Windows 11 (Virtual Machine)
- Tools Used:
- Windows Event Viewer
- Local Security Policy
Windows was configured to record failed authentication attempts by enabling Audit logon events (Failure) within Local Security Policy. This step is critical, as brute-force attacks cannot be detected if failed logins are not logged.
Multiple incorrect login attempts were intentionally generated over a short time period to simulate brute-force behavior. This represents the point at which an end user would experience repeated authentication failures.
After generating the failed login attempts, Windows Event Viewer was used to review the Security log. The log was filtered for Event ID 4625, which represents failed authentication attempts.
A single Event ID 4625 entry was examined to gather additional context, including the targeted account, failure reason, and logon type. This information helps determine whether the activity is normal user error or potentially malicious behavior.
Multiple failed login events occurring close together in time were identified. The frequency and timing of these events are consistent with brute-force authentication attempts rather than accidental user mistakes.
- Failed authentication attempts were successfully logged as Event ID 4625
- Multiple failures occurred within a short timeframe
- Repeated attempts against the same account indicated brute-force behavior
- Event details provided sufficient context for investigation and triage
This project demonstrates how Windows authentication logs can be used to detect and investigate brute-force attacks. By enabling proper auditing, filtering for Event ID 4625, and analyzing event patterns, security analysts can identify credential abuse and take appropriate response actions.
This investigation reflects common Tier 1 SOC responsibilities, including authentication monitoring, log analysis, and initial incident assessment.