So this is always a concern. I have always wanted to be able to tell how often a user entered an invalid passwords. My belief was that I could then detect brute force attacks much easier.
Well thanks to Extrahop I can now see invalid password attempts. So I was all fired up to use this feature and “Capture the bad guy” Little did I know that I was opening a can of worms that has really taken me for a ride. So taking a look below I have 8,387 Invalid password attempts in my environment. This is for a 1 day period. Wow I only have 4000 to 5000 employees in my environment. So that would be every user enters there password wrong at least twice a day????? No way. So what is really happening? Why am I having this large number?????
So as I dug into this I started doing some testing. I first focused on privileged accounts. I wanted to see how many privileged account invalid passwords maybe that would be less. Initially it was still pretty high for the number of accounts we had. But proportionally it was way less. So now that I had figured out how to focus on a group of accounts I started doing some testing. And what I found was interesting.
When you lock your computer or Disconnect from an RDP session. That session stays intact as long as there is not a policy to log off all disconnected sessions in a certain time frame. And it appears (I have not found a document that can confirm this yet) Kerberos for user accounts can only renew while in interactive mode. So the ticket expires and then the session will try to auth with different services\network shares and other stuff but fail with invalid password because the Kerberos ticket is expired.
I noticed that if I left an account logged in for longer than 10 hours with no interactive login. That after hour 10 it would have invalid password attempts. Simply logging on (there by renewing the ticket) or logging off the user this would stop. So why is this important, and why does it matter to log off vs locking a computer?????
Well when you log into a compute your username and password are stored in clear text. This is for single sign on. Most people have heard about pass the hash. Which can be obtain from a computer even after a person is logged off. But what most people do not realize is the password is stored in clear text when logged on. So if an attacker gains access to your machine WHILE you are logged on then they can gain access to your username and password in clear text. This allows them to become you. By simply logging off it clears the password stored in clear text. Yes the hash is still there allowing a pash the hash attack. But that type of attack is way more complicated than just simply using your username and password to access systems.
Think about privileged accounts!!! This is why it is critical to not login into machines that are widely used on the internet with elevated accounts. Matter of fact High privileged accounts should be blocked from accessing these computers. The risk is high. Things like surfing the internet with these high privileged accounts is dangerous.
This is why it is critical to monitor accounts and invalid passwords. As well as retraining your staff to log on and not lock computers. Extrahop can help you change this habit.