ID208 - SOC246
Forced Authentication Detected
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
Initial check on VirusTotal and AbuseIPDB shows the source IP address flagged as Malicious, SSH bruteforce.
Log Management
Log management show, on the 12.12.2023, 22 event within a short period of time (from 1:51 pm to 2:15 pm) all targeting the same destination ip.
The attacks are made on several ports: 25,53, 80, 110, 443, 3000, 3389, 21
Looks like the attacker is performing an active port scan, and it’s being bounced everywhere (FW deny) except on port 80 and 3000 (FW permit).
Following the scan activity, several HTTP POST requests of type: proxy were observed.
(request URL hxxp[://]test-frontend[.]letsdefend[.]io/accounts/login)
These requests attempted logins using common username/password combinations:
root : 123456
admin : 12345
admin : abcd12345
The pattern reflects an automated brute-force attack, leveraging credential stuffing over POST requests routed through a proxy.
Note: all of this traffic was marked as permitted by the firewall, indicating that the brute-force activity was not blocked and reached its intended target.
The last log entry, at 2:15 PM reports:
action User Login Successful
Confirming that the brute-force attack was successful, resulting in unauthorized access to the target using the username admin.
Playbook Execution
Is Traffic Malicious?
Answer
yes
Which of the following is the attack vector in the malicious traffic you have detected as a result of your investigations?
Answer
Other – brute force attack
Is the malicious traffic caused by a planned test?
Answer
not planned
What Is the Direction of Traffic?
Answer
internet -> company network
Was the Attack Successful?
Answer
yes
Perform Tier 2 escalation?
Answer
definitely yes
Add Artifacts
120.48.36[.]175
threat actor
IP address
hxxp[://]test-frontend[.]letsdefend[.]io/accounts/login
Requested url
URL
Verdict
True Positive
Analyst Summary Report
Summary of findings
On December 12, 2023, between 13:51 and 14:05, a high-volume brute-force attack was detected targeting a company asset. The attacker (IP: 120.48.36[.]175) attempted to authenticate through multiple services and ports (25, 53, 80, 110, 443, 3000, 3389, 21), using common usernames (root, admin) and weak passwords (123456, abcd12345, etc.) — consistent with automated credential stuffing.
The attack was performed via HTTP POST requests to the URL:
hxxp[://]test-frontend[.]letsdefend[.]io/accounts/login
All these requests were marked as device action: permitted, indicating that perimeter defenses allowed the brute-force traffic to proceed without filtering or rate-limiting.
At 14:15, a final log entry confirmed a successful login using the admin account, indicating the brute-force attack resulted in unauthorized access to the target system.
Remediation recommendations
- Block malicious IP 120.48.36[.]175 and domain test-frontend[.]letsdefend[.]io.
- Review firewall/web proxy rules to restrict outbound POST traffic and prevent brute-force login attempts.
- Audit credentials across the network for weak/default passwords.
- Implement rate limiting and account lockout policies
- Enable Multi-Factor Authentication (MFA)
- Escalate to Tier 2 for full forensic investigation and log preservation.
More Alerts!
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-085 | SOC109 – Emotet Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.