DFSP # 399 - Lateral Movement Failed Logon Events
Finding and analyzing failed logons sometimes is just as important as finding suspicious, actual logon activity. Like anything, context is important. Old logon records offer an opportunity to identify not only suspicious activity, but perhaps attempted activity by an attacker. A standard move in the attack chain is to compromise an account and use it to move within the breached environment. However, it doesn't always work as planned for the attacker, and you may find failed activity a valid signal for identifying, malicious actions. This episode, I'm going to take a look at failed logon events from an investigation point of you.