nerdexam
GIAC

GCIH · Question #655

Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less failures against any i

The correct answer is B. Spraying. Substatus 0xC000006A indicates a wrong password, and seeing 4 or fewer failures spread across many accounts - rather than many failures on one account - is the signature pattern of a password spraying attack.

Incident Response & Cyber Kill Chain

Question

Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less failures against any individual account. Which type of password attack is indicated by these events?

Options

  • ARainbow Tables
  • BSpraying
  • CBrute Force
  • DPassing the Hash

How the community answered

(46 responses)
  • A
    7% (3)
  • B
    54% (25)
  • C
    11% (5)
  • D
    28% (13)

Why each option

Substatus 0xC000006A indicates a wrong password, and seeing 4 or fewer failures spread across many accounts - rather than many failures on one account - is the signature pattern of a password spraying attack.

ARainbow Tables

Rainbow table attacks crack hashes offline by precomputed lookups and never generate authentication failure events in a security log.

BSprayingCorrect

Password spraying deliberately tries a single common password (or a very small set) against a large number of accounts to stay below lockout thresholds, which is exactly what low per-account failure counts indicate. The substatus 0xC000006A confirms a bad password was supplied, and the distribution across accounts rather than concentration on one account distinguishes spraying from brute force.

CBrute Force

Brute force attacks target a single account repeatedly with many password attempts, which would produce a high failure count on individual accounts - the opposite of what is observed here.

DPassing the Hash

Pass-the-hash attacks authenticate using a stolen NTLM hash directly and succeed on the first attempt, so they do not produce wrong-password failure events with substatus 0xC000006A.

Concept tested: Password spraying detection via Windows event log analysis

Source: https://attack.mitre.org/techniques/T1110/003/

Topics

#password spraying#event logs#substatus codes#authentication attacks

Community Discussion

No community discussion yet for this question.

Full GCIH Practice