This investigation involved simulating and analyzing a brute force authentication attack targeting a Windows system via OpenSSH. The objective was to detect abnormal login behavior, correlate failed and successful authentication attempts, and reconstruct the attack sequence using SIEM log analysis.

Wazuh SIEM (log collection and alerting)

Windows Event Logs (Security logs)

SSH authentication logs (Windows OpenSSH service)

Event ID analysis (4625, 4624)

Log correlation and timeline reconstruction techniques

1. Initial Log Review Authentication logs were reviewed from Windows Security Event Logs to identify abnormal login activity patterns.

2. Detection of Failed Login Activity A series of Event ID 4625 (failed logon attempts) was observed from a single source pattern, indicating repeated authentication failures consistent with brute force behavior.

3. Correlation with Successful Login Following multiple failed attempts, a successful authentication event (Event ID 4624) was detected from the same context, indicating potential credential compromise.

4. Attack Pattern Validation The event sequence showed:

Repeated authentication failures

Short interval between failures and success

No prior successful baseline activity from the same pattern

This pattern aligned with a brute force authentication attempt.

5. SIEM Contextual Analysis (Wazuh) Wazuh correlation rules helped surface and reinforce the abnormal authentication behavior, supporting detection confidence.

Multiple failed login attempts (Event ID 4625) within a short timeframe

Successful login (Event ID 4624) following repeated failures

Behavior consistent with password guessing / brute force technique

No evidence of legitimate user authentication patterns during the timeframe

Attack scenario successfully demonstrated weakness in account lockout enforcement

Repeated unauthorized login attempts initiated

Continuous authentication failures recorded

Persistent credential-guessing behavior observed

Successful authentication achieved after multiple attempts

Session established following login success

This controlled investigation demonstrated how brute force authentication attempts can be identified through SIEM log analysis and event correlation. The absence of account lockout mechanisms allowed repeated login attempts, eventually resulting in successful authentication.

This case study demonstrates my ability to simulate attack scenarios, analyze authentication logs, correlate security events, and reconstruct attacker behavior using SIEM tools like Wazuh.