GIAC Certified Incident Handler (GCIH) — Question 60

A spike in Event ID 4625 is found in Windows event logs. Looking at individual accounts across the domain, no more than 5 failed logins are found for any single account. What is a likely explanation for this?

Answer options

• A. The organization's passwords have been exposed online
• B. There was a password spraying attack on the organization
• C. There was a pass-the-hash attack on the organization
• D. The organization experienced an attempted Kerberoasting attack

Correct answer: B

Explanation

The correct answer is B because a password spraying attack involves trying a few common passwords across many accounts, which aligns with the observed pattern of failed logins being low per account. Options A, C, and D do not fit this scenario as they imply different attack methods that would typically result in different patterns of failed logins.