GCIH · Question #655
Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less failures against any i
The correct answer is B. Spraying. Substatus 0xC000006A indicates a wrong password, and seeing 4 or fewer failures spread across many accounts - rather than many failures on one account - is the signature pattern of a password spraying attack.
Question
Nathan is examining the security event log on a file server that contains sensitive data. He finds a number of Event ID 1234s with substatus code 0xC000006A. There are 4 or less failures against any individual account. Which type of password attack is indicated by these events?
Options
- ARainbow Tables
- BSpraying
- CBrute Force
- DPassing the Hash
How the community answered
(46 responses)- A7% (3)
- B54% (25)
- C11% (5)
- D28% (13)
Why each option
Substatus 0xC000006A indicates a wrong password, and seeing 4 or fewer failures spread across many accounts - rather than many failures on one account - is the signature pattern of a password spraying attack.
Rainbow table attacks crack hashes offline by precomputed lookups and never generate authentication failure events in a security log.
Password spraying deliberately tries a single common password (or a very small set) against a large number of accounts to stay below lockout thresholds, which is exactly what low per-account failure counts indicate. The substatus 0xC000006A confirms a bad password was supplied, and the distribution across accounts rather than concentration on one account distinguishes spraying from brute force.
Brute force attacks target a single account repeatedly with many password attempts, which would produce a high failure count on individual accounts - the opposite of what is observed here.
Pass-the-hash attacks authenticate using a stolen NTLM hash directly and succeed on the first attempt, so they do not produce wrong-password failure events with substatus 0xC000006A.
Concept tested: Password spraying detection via Windows event log analysis
Source: https://attack.mitre.org/techniques/T1110/003/
Topics
Community Discussion
No community discussion yet for this question.