This note documents detection patterns related to Password Spraying within Active Directory environments.

Direct Indicators

Log Source	Event ID / Error Code	Meaning	Forensic Value	Notes
Security	4625	Failed logon	Critical	Core spray indicator. Large volume across many users, same source, short interval. Check Status, SubStatus, IpAddress, LogonType.
Security	4771	Kerberos pre-authentication failed	Critical	Strong Kerberos spray signal. Common when attacker targets many users via Kerberos. Review FailureCode, ClientAddress, TargetUserName.
Security	4771 / FailureCode 0x18	Kerberos bad password	Critical	Classic wrong-password spray pattern against valid accounts.
Security	4768 / ErrorCode 0x6	Kerberos invalid user	High	Username enumeration or spray against non-existent accounts.
Security	4768 / ErrorCode 0x12	Kerberos disabled user	High	Indicates attacker hit disabled accounts — useful for scope reconstruction.
Security	4776 / ErrorCode 0xC0000064	NTLM invalid user	High	NTLM username enumeration against DC.
Security	4776 / ErrorCode 0xC000006A	NTLM wrong password	Critical	Very strong NTLM password spray indicator. Many users, one source, same interval.
Security	4776	NTLM authentication failed	High	Parent NTLM failure event. Must inspect Status field for exact failure meaning.
Security	4624	Successful logon	Critical	Indicates spray success. Correlate with prior failures from same source.
Security	4648	Explicit credentials used	High	Tools often use explicit creds after successful spray or during staged auth attempts.
Sysmon	3	Network connection	Medium-High	Spray source contacting many hosts / DC repeatedly. Ports often 88, 389, 445, 135.
Sysmon	1	Process creation	High	Detect tools like `kerbrute`, `crackmapexec`, `Rubeus`, `Spray-AD`, `Invoke-DomainPasswordSpray`.
Sysmon	7	Image loaded	Medium	Useful if tooling loads auth libraries (`secur32.dll`, `kerberos.dll`).
PowerShell	4104	Script block logging	Very High	Reveals spray scripts directly (`Invoke-DomainPasswordSpray`, custom loops).

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Authentication attempts across many accounts	Same source host attempting login to many users	Critical	Classic password spray behavior.
Low number of attempts per account	Avoiding lockout thresholds	High	Technique designed to evade account lockout policies.
Spray attempts from single IP	Single host authenticating to many accounts	High	Often attacker workstation or compromised host.
Authentication attempts across multiple systems	Login attempts across DCs or services	Medium	Distributed authentication activity.
Execution of password spraying tools	Processes like CrackMapExec or Spray scripts	Critical	Direct evidence of attack activity.

Common Tools

Tool	Usage
CrackMapExec	Automates password spraying across domain accounts.
Kerbrute	Performs Kerberos password spraying.
Spray scripts	Custom scripts used to test credentials.
Impacket	Used to attempt authentication with guessed passwords.
Nmap smb-brute	Performs SMB password spray attacks.

Relevant Artifacts

Domain controller Security logs (4625, 4771, 4776)
Authentication logs across domain controllers
Network traffic logs for authentication attempts
Sysmon logs (1, 3)
EDR telemetry identifying spraying tools
Prefetch artifacts for CrackMapExec or Kerbrute
Account lockout logs
SIEM correlation alerts

MITRE ATT&CK References

T1110 Brute Force
T1110.003 Password Spraying
T1078 Valid Accounts

Decision Tree

Is the suspicious event present?
- Identify high volume failed authentication events (4625 / 4771).
What host generated the event?
- Determine source IP or workstation performing attempts.
Are multiple accounts targeted?
- Check whether many users receive authentication attempts.
Pivot:
- Source host → inspect execution of Kerbrute or CrackMapExec.
- Accounts targeted → determine if any successful logons occurred.
- Network → analyze authentication attempts across services.
Confirm exploitation
- Determine whether attacker successfully authenticated with sprayed credentials.

Example Detection Templates

KQL

SecurityEvent
| where EventID in (4625,4771)
| summarize count() by IpAddress, TargetUserName, bin(TimeGenerated,5m)

SecurityEvent
| where EventID == 4624
| summarize count() by TargetUserName, IpAddress

EQL

any where event.code in ("4625","4771")

Sigma

title: Password Spraying Detection
id: password-spraying-detection
status: experimental
description: Detects password spraying attempts across multiple accounts
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4625
      - 4771
  condition: selection
fields:
  - TargetUserName
  - IpAddress
falsepositives:
  - Misconfigured applications generating authentication failures
level: high
tags:
  - attack.credential_access
  - attack.t1110.003

Splunk

index=main source="WinEventLog:Security" (EventCode=4771 OR EventCode=4776 OR EventCode=4625)  
| eval User=coalesce(TargetUserName, Account_Name, user)  
| eval Src=coalesce(Source_Network_Address, src, IpAddress)  
| stats count dc(User) as UniqueUsers values(Status) as Status values(FailureCode) as FailureCode by Src  
| where UniqueUsers > 5 AND count > 5  
| sort - count

index=main source="WinEventLog:Security" EventCode=4625 
| bin span=15m _time 
| stats values(user) as Users, dc(user) as dc_user by src, Source_Network_Address, dest, EventCode, Failure_Reason

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Account lockout policies	Configure lockout thresholds and monitoring	High	Limits effectiveness of spraying attacks.
Multi-factor authentication	Require MFA for sensitive accounts	Critical	Prevents credential-only compromise.
Monitoring	Alert on authentication attempts across many accounts	High	Primary detection method.
Threat hunting	Review failed authentication patterns	Medium	Detects stealthy spraying attempts.
Password hygiene	Enforce strong password policies	Medium	Reduces likelihood of successful spray.