A system administrator flagged a high volume of Audit Failure events in the Windows Security Event log. The task is to analyse the logs, identify the attacker, characterise the brute force campaign, and extract key IOCs.
The first step is quantifying the noise. A quick grep against the logs reveals the scale of the campaign:
cat * | grep -a -i "audit failure" | wc -l
3103 Audit Failure events — a clear indicator of an automated brute force tool rather than manual attempts.
Filtering for account information points directly to the targeted user:
cat * | grep -a -i "account"
The attacker was hammering the Administrator account — the default privileged local account and a predictable brute force target. Every failure logged the reason as “Unknown user name or bad password.”, confirming credential stuffing or password spraying rather than a lockout-based error. These events are recorded under Windows Event ID 4625 — the standard logon failure event.
Pulling the source address from the logs:
cat * | grep -a -i "address"
All 3103 failures originate from a single IP: 113[.]161[.]192[.]227. A lookup via ipinfo.io geolocates this address to Vietnam.
With an attack of this volume, the attacker cycled through ephemeral source ports across the session. Extracting the full range:
cat * | grep -a "Source Port" | grep -oP '\d+' | sort -n | awk 'NR==1{low=$1} {high=$1} END{print low"-"high}'
The ports spanned 49162–65534, consistent with the Windows dynamic port range and indicative of a sustained, high-volume automated tool running over an extended period.
| Type | Value |
|---|---|
| IP — Attacker | 113[.]161[.]192[.]227 |
| Country | Vietnam |
| Target Account | Administrator |
| Event ID | 4625 |
| Source Port Range | 49162–65534 |