This is an automated archive.
The original was posted on /r/cybersecurity by /u/TheBiggerBigRed on 2023-08-15 20:47:03+00:00.
Hello all,
I currently work in an MSSP SOC and we do work with some banks and other clients. I am relatively new to cybersecurity and the company I work for is also just getting systems set up and I’m place, so it can be slightly disorganized. That being said, it is an incredible place to work and I am a fan of my bosses/coworkers.
I keep running into an issue where we are getting alerts on things and no one seems to have a great answer as to why. An example of such an alert is: “Admin Interactive/Remote Interactive: Login Failure”
The failure code is 0xC000006D which is identified as “Incorrect Username/Password”.
I am coming into this as a newbie, and unfamiliar with the client environment, but this seems like it should be resolved at the root because no one seems to know why we get the alerts. The accounts are admin/service accounts and I (so far) see two instances of this happening. One with a service account that regularly does backups, it will fail a login 30+ times before successfully logging in.
I also see an admin account doing the same thing with similar resolution results.
A tier 2 at the SOC said it may be that the service account is sending requests for the log in repeatedly and too fast so the server gets flooded with packets and denies a login attempt? It makes sense, but why can’t something be done about it? I do not want to eliminate the alert as it could alert on a brute force attack but I don’t understand why the root cause isn’t being investigated.
Anyone have any thoughts as to why this keeps happening? Thanks!