The 2026 threat landscape has undergone a paradigm shift. According to the latest research by Sophos, the primary entry point for encryption-based cyber incidents—specifically ransomware—is no longer software vulnerabilities. For the first time, compromised logins resulting from social engineering, brute force attacks, and other identity-based threats have surpassed exploits as the dominant initial access vector.
For security practitioners, this confirms what many have suspected in the field: the perimeter has effectively moved to the identity. While patching remains critical, the sophistication of credential harvesting and the sheer volume of password spraying attacks mean that valid credentials are the easiest keys to the kingdom. If an attacker possesses a valid set of credentials, traditional network perimeter defenses like firewalls and EDRs become significantly less effective.
This post outlines the technical mechanics of this shift and provides actionable detection and remediation strategies to lock down identity-based attack paths.
Technical Analysis
While the specific tactics vary, the attack chain typically follows a consistent pattern focused on identity compromise rather than binary exploitation.
Attack Vector Breakdown:
- Credential Harvesting & Brute Force: Attackers leverage automated tooling to conduct brute force attacks against exposed services (RDP, VPN, SSH, Webmail). Unlike the sophisticated exploits of years past, these attacks rely on weak passwords, password reuse, and lack of multi-factor authentication (MFA).
- Social Engineering: Phishing campaigns evolve daily, focusing not just on malware delivery but on credential theft via landing pages mimicking O365 or VPN portals.
- Valid Authentication: Once valid credentials are obtained, the attacker logs in. This generates "clean" audit logs that often bypass basic anomaly detection tuned for known exploit signatures.
- Lateral Movement & Encryption: Using valid credentials, attackers utilize built-in administrative tools (e.g., PsExec, WMI, PowerShell) to move laterally through the network, escalate privileges, and deploy the encryption payload.
Affected Platforms & Products:
- Identity Providers: Active Directory Domain Services (AD DS), Entra ID (Azure AD).
- Remote Access: Remote Desktop Protocol (RDP), VPN appliances (Cisco, Fortinet, Palo Alto), Citrix.
- Collaboration Suites: Microsoft 365, Google Workspace.
Exploitation Status: This is not a theoretical vulnerability; it is an active campaign methodology. While there is no single CVE to patch for this trend, the "vulnerability" lies in the configuration of identity security controls. Active exploitation via brute force and credential stuffing is currently the most prevalent tactic observed in IR engagements globally.
Detection & Response
Detecting identity-based attacks requires focusing on authentication anomalies rather than just malware signatures. The following rules and queries are designed to identify brute force patterns, impossible travel scenarios, and the suspicious use of administrative tools often seen immediately after initial access.
SIGMA Rules
---
title: Potential Brute Force Activity - Multiple Failed Logons
id: 9a5c2f8e-1d3a-4b7c-9f0e-123456789abc
status: experimental
description: Detects potential brute force attempts by identifying a high volume of failed logon events from a single source address within a short time window.
references:
- https://attack.mitre.org/techniques/T1110/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1110.001
- attack.t1110.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
timeframe: 5m
falsepositives:
- Misconfigured services
- Legacy applications
level: high
---
title: Successful Logon After Multiple Failures
id: b4d1e3a2-5c6f-4e8d-9b1a-9876543210fed
status: experimental
description: Detects a successful logon event immediately following multiple failed attempts, indicating a potential brute force success.
references:
- https://attack.mitre.org/techniques/T1110/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1110.001
logsource:
product: windows
service: security
detection:
selection_fail:
EventID: 4625
selection_success:
EventID: 4624
filter:
TargetUserName|endswith: '$'
condition: selection_fail and selection_success and not filter
timeframe: 15m
correlation:
type: value_count
rules:
- selection_fail
group-by:
- IpAddress
- TargetUserName
condition:
gte: 5
falsepositives:
- User mistyping password
level: critical
---
title: Suspicious PowerShell Execution from Network Logon
id: c5e2f4a1-6b7d-5e9f-0c2b-109876543210
status: experimental
description: Detects PowerShell execution immediately following a network logon (Type 3 or 10), often indicative of lateral movement or hands-on-keyboard activity after remote access.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
- attack.lateral_movement
logsource:
product: windows
category: process_creation
detection:
selection_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_logon:
EventID: 4624
LogonType:
- 3
- 10
condition: selection_pwsh | near selection_logon
timeframe: 1m
falsepositives:
- Legitimate administrative scripts
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for Brute Force Patterns followed by Success
// Focus on identifying IP addresses that fail multiple times then succeed
let FailedLogins = SigninLogs
| where ResultType == "50126" or ResultType == "50053" // Invalid password or Account locked
| summarize FailedCount=count(), MakeSet(AppDisplayName) by IPAddress, UserPrincipalName
| where FailedCount >= 5;
let SuccessLogins = SigninLogs
| where ResultType == "0"
| extend SuccessTime = datetime_add('second', 300, CreatedDateTime) // Look 5 mins ahead
| project IPAddress, UserPrincipalName, SuccessTime, AppDisplayName, DeviceDetail, Location;
FailedLogins
| join kind=inner SuccessLogins on IPAddress, UserPrincipalName
| project-reorder IPAddress, UserPrincipalName, FailedCount, SuccessTime, AppDisplayName, Location
// Hunt for Suspicious Remote Desktop (RDP) Activity
// Detects internal hosts initiating outbound RDP connections (potential lateral movement)
DeviceNetworkEvents
| where ActionType == "ConnectionAccepted" or ActionType == "ConnectionInitiated"
| where RemotePort == 3389
| summarize count() by DeviceName, RemoteIP, InitiatingProcessAccountName
| where count_ > 10
Velociraptor VQL
-- Hunt for multiple RDP login failures from a single source IP
-- This targets the Security Event Log on Windows endpoints
SELECT
System.TimeCreated as EventTime,
EventData.IpAddress as SourceIP,
EventData.TargetUserName as Account,
count() as FailedCount
FROM parse_xml(filename=file/*, glob='C:\Windows\System32\winevt\Logs\Security.evtx')
WHERE System.EventID.Value = 4625
GROUP BY EventData.IpAddress, EventData.TargetUserName
HAVING FailedCount > 10
Remediation Script (PowerShell)
This script aids in hardening Windows Server environments against brute force attacks by configuring Account Lockout policies and auditing RDP access.
# Harden Identity Access: Configure Account Lockout and RDP Auditing
# Requires Administrative Privileges
Write-Host "[+] Starting Identity Hardening Procedures..." -ForegroundColor Cyan
# 1. Configure Account Lockout Policy (5 attempts, 15 min duration)
# Note: This modifies the Default Domain Policy or Local Policy depending on context
Write-Host "[*] Configuring Account Lockout Policy..." -ForegroundColor Yellow
net accounts /lockoutthreshold:5 /lockoutwindow:15 /lockoutduration:15
if ($?) {
Write-Host "[SUCCESS] Account Lockout Policy updated." -ForegroundColor Green
} else {
Write-Host "[ERROR] Failed to update Account Lockout Policy." -ForegroundColor Red
}
# 2. Enable Advanced Auditing for Logon Events
Write-Host "[*] Enabling Advanced Auditing for Logon Events..." -ForegroundColor Yellow
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
if ($?) {
Write-Host "[SUCCESS] Auditing policies enabled." -ForegroundColor Green
} else {
Write-Host "[ERROR] Failed to enable auditing." -ForegroundColor Red
}
# 3. Check RDP Status (Recommend disabling if not required)
$RDPStatus = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired
Write-Host "[*] RDP NLA Status: $RDPStatus (1 = Enabled/Required)" -ForegroundColor Yellow
Write-Host "[+] Hardening Script Complete. Please enforce MFA for all remote access immediately." -ForegroundColor Cyan
Remediation
Given that identity is the new perimeter, remediation efforts must focus on strengthening authentication controls and reducing the value of stolen credentials.
1. Enforce Phishing-Resistant MFA Passwords alone are insufficient. Deploy Multi-Factor Authentication (MFA) universally—especially for VPNs, Remote Desktop Gateway, and cloud admin consoles. Where possible, move beyond SMS/App-based TOTP to FIDO2/WebAuthn (hardware keys) which are resistant to social engineering and MFA fatigue attacks.
2. Implement Conditional Access Policies For cloud identities (Entra ID), enforce Conditional Access that blocks or requires additional verification for:
- Logins from anonymous IP addresses or高风险 geolocations.
- Impossible travel scenarios (login from New York and London within 5 minutes).
- Legacy authentication protocols (which do not support MFA).
3. Account Lockout and Rate Limiting Ensure Active Directory and VPN appliances enforce strict account lockout policies (e.g., 5 attempts triggers a 15-minute lockout) to slow down brute force spraying.
4. Least Privilege Access (Just-In-Time) Remove permanent local administrator rights from standard user workstations. Utilize Privileged Access Workstations (PAWs) for admin tasks and implement Just-In-Time (JIT) access via PAM solutions so that credentials are only valid when explicitly needed.
5. Continuous Threat Exposure Management Regularly audit your environment for exposed remote access services. If RDP or SSH is open to the internet, move it behind a VPN or Zero Trust Network Access (ZTNA) solution immediately.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.