A server administrator is analyzing the security event logs of a public-facing web server to investigate a potential security breach. Which of the following event sequences, if found in the logs, would be the strongest indicator of a compromised user account resulting from a brute-force attack?
A single failed login attempt for a privileged account from an unfamiliar IP address occurring outside of business hours.
A high volume of failed login attempts for multiple user accounts from a single IP address, followed by a successful login from the same IP address.
A successful interactive login by a domain administrator, immediately followed by the creation of a new, non-privileged user account.
Numerous successful logins by a service account that occur at the same scheduled time each night.
The correct answer describes a classic brute-force or password-spraying attack pattern. Attackers use automated tools to try many different passwords against one or more accounts, which generates a large number of failed login events (like Windows Event ID 4625). A subsequent successful login (Event ID 4624) from the same source IP address strongly suggests the attacker has found a valid credential and has compromised an account.
A single failed login attempt, while worth noting, is common background noise on internet-facing servers and is not a strong indicator of a targeted, successful attack. Scheduled, repeated successful logins by a service account are normal and expected behavior for automated tasks like backups or system maintenance. While the creation of a new user by an administrator is a privileged action that should be audited, it is a standard administrative task and, by itself, is not an indicator of an external brute-force attack; it could be a legitimate, authorized action.