# Detecting Password Spraying Attacks: Threat Research Release May 2021

**[splunk.com/en_us/blog/security/detecting-password-spraying-attacks-threat-research-release-may-2021.html](https://www.splunk.com/en_us/blog/security/detecting-password-spraying-attacks-threat-research-release-may-2021.html)**

June 10, 2021

SECURITY

By [Splunk Threat Research Team June 10,](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)

2021


-----

[The Splunk Threat Research team recently developed a new analytic story to help security](https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying)
operations center (SOC) analysts detect adversaries executing password spraying attacks
against Active Directory environments. In this blog, we’ll walk you through this analytic story,
[demonstrate how we can simulate these attacks using PurpleSharp, collect and analyze the](https://github.com/mvelazc0/PurpleSharp)
Windows event logs, and highlight a few detections from the May 2021 releases.

Watch the video below to learn more about how we can simulate and detect password
[spraying attacks using PurpleSharp in a lab environment built with the Splunk Attack](https://github.com/mvelazc0/PurpleSharp)
Range.

[Password spraying (T1110.003) is a technique by which adversaries leverage a single](https://attack.mitre.org/techniques/T1110/003/)
password or a small list of commonly used passwords against a large group of usernames
to acquire valid account credentials. Unlike a brute force attack that targets a specific user
or small group of users with a large number of passwords, password spraying follows the
opposite approach and increases the chances of obtaining valid credentials while avoiding
account lockouts. This allows adversaries to remain undetected if the target organization
does not have the proper monitoring and detection controls in place. Penetration testers,
cybercriminals as well as nation-state actors have been known to leverage this effective
technique.

Password spraying can be leveraged by adversaries across different stages in a breach. It
can be used to obtain initial access to an environment but can also be used to escalate
privileges when access has been already achieved. In many scenarios, this technique
ironically capitalizes on a common security control deployed by organizations: password
rotation. As enterprise users change their passwords when they expire, some of them may
pick predictable, seasonal passwords such as “Summer2021”.


-----

Specifically, this Analytic Story is focused on detecting potential password spraying attacks
against Active Directory environments in two scenarios where an attacker has obtained
access to the target network:

An adversary has obtained physical access to the network with a rogue device and
can perform spraying attacks against internal hosts.
An adversary is controlling a domain endpoint previously compromised and is
leveraging it to perform spraying attacks.

In properly monitored Active Directory environments, there are several detection
opportunities to identify password spraying attacks. This analytic story presents eight
different detection analytics that leverage Windows event logs which can aid defenders in
identifying instances where a single user, source host, or source process attempts to
authenticate against a target or targets using a high and unusual number of unique users. A
user, host, or process attempting to authenticate with multiple users is not common
behavior for legitimate systems, and should be monitored by security teams. Possible false
positive scenarios include but are not limited to vulnerability scanners, remote
administration tools, multi-user systems and misconfigured systems.


**Name** **Technique**
**ID**


**Tactic** **Description**


Multiple users
failing to
authenticate
from host
using
kerberos

Multiple users
failing to
[authenticate](https://github.com/splunk/security_content/blob/develop/detections/endpoint/multiple_users_failing_to_authenticate_from_host_using_ntlm.yml)
from host
using NTLM

Multiple
disabled users
failing to
[authenticate](https://github.com/splunk/security_content/blob/develop/detections/endpoint/multiple_disabled_users_failing_to_authenticate_from_host_using_kerberos.yml)
from host
using
Kerberos


T1110.003 Credential
Access

T1110.003 Credential
Access

T1110.003 Credential
Access


Identifies one source endpoint failing to
authenticate with multiple valid users using the
Kerberos protocol. This detection will only
trigger on domain controllers, not on member
servers or workstations.

Identifies one source endpoint failing to
authenticate with multiple valid users using the
NTLM protocol. This detection will only trigger
on domain controllers, not on member servers
or workstations.

Identifies one source endpoint failing to
authenticate with multiple disabled domain
users using the Kerberos protocol. This
detection will only trigger on domain
controllers, not on member servers or
workstations.


-----

Multiple
invalid users
failing to
[authenticate](https://github.com/splunk/security_content/blob/develop/detections/endpoint/multiple_invalid_users_failing_to_authenticate_from_host_using_kerberos.yml)
From host
using
Kerberos

Multiple
invalid users
failing to
authenticate
from host
using NTLM

Multiple users
attempting to
[authenticate](https://github.com/splunk/security_content/blob/develop/detections/endpoint/multiple_users_attempting_to_authenticate_using_explicit_credentials.yml)
using explicit
credentials

Multiple users
failing to
authenticate
from process

Multiple users
remotely
[failing to](https://github.com/splunk/security_content/blob/develop/detections/endpoint/multiple_users_remotely_failing_to_authenticate_from_host.yml)
authenticate
from host


T1110.003 Credential
Access

T1110.003 Credential
Access

T1110.003 Credential
Access

T1110.003 Credential
Access

T1110.003 Credential
Access


Identifies one source endpoint failing to
authenticate with multiple invalid domain users
using the Kerberos protocol. This detection
will only trigger on domain controllers, not on
member servers or workstations.

Identifies one source endpoint failing to
authenticate with multiple invalid users using
the NTLM protocol. This detection will only
trigger on domain controllers, not on member
servers or workstations.

Identifies a source user failing to authenticate
with multiple users using explicit credentials
on a host. This detection will trigger on the
potentially malicious host, perhaps controlled
via a trojan or operated by an insider threat,
from where a password spraying attack is
being executed.

Identifies a source process name failing to
authenticate with multiple users. This
detection will trigger on the potentially
malicious host, perhaps controlled via a trojan
or operated by an insider threat, from where a
password spraying attack is being executed.

Identifies a source host failing to authenticate
against a remote host with multiple users. This
detection will trigger on the host that is the
target of the password spraying attack. This
could be a domain controller as well as a
member server or workstation.


## Why Should You Care?

[Password spraying is leveraged by all sorts of offensive actors including penetration testing](https://twitter.com/strandjs/status/1363942354374127620)
[consultants,](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying) [cyber crime](https://us-cert.cisa.gov/ncas/alerts/TA18-086A) [actors as well as cyber](https://www.cyber.gov.au/acsc/view-all-content/advisories/2019-130-password-spray-attacks-detection-and-mitigation-strategies) [espionage](https://us-cert.cisa.gov/ncas/alerts/TA18-086A) [actors. It’s an effective](https://us-cert.cisa.gov/ncas/alerts/AA20126A)
technique available to adversaries to obtain valid account credentials. Unlike other


-----

password-based attacks like brute forcing, spraying accounts allows adversaries to remain
undetected by avoiding account lockouts.

[According to the Verizon’s 2020 Data Breach Investigations Report, more than 80 percent](https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf)
of breaches within the “Hacking” category “involve brute force or the use of lost or stolen
credentials.”

Cyber defenders need to design and deploy effective monitoring capabilities that allow them
to detect and respond to password spraying attacks against Active Directory as well as
other authentication services.

## Learn More

[You can find the latest content about security analytic stories on GitHub and in Splunkbase.](https://github.com/splunk/security-content/releases/tag/v3.12.0)
[Splunk Security Essentials also has all these detections now available via push update. In](https://splunkbase.splunk.com/app/3435/)
the upcoming weeks, the Splunk Threat Research team will be releasing a more detailed
blog post on this analytic story. Stay tuned!

For a full list of security content, check out the [release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC)

## Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up.
Alternatively, join us on the [Slack channel #security-research. Follow these instructions If](https://splunk-usergroups.slack.com/)
you need an invitation to our Splunk user groups on Slack.

## Contributors

[We would like to thank Mauricio Velazco for his contributions to this post and open source](https://twitter.com/mvelazco)
security tools.


-----

Posted by

**[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)**

The Splunk Threat Research Team is an active part of a customer’s overall defense
strategy by enhancing Splunk security offerings with verified research and security content
such as use cases, detection searches, and playbooks. We help security teams around the
globe strengthen operations by providing tactical guidance and insights to detect,
investigate and respond against the latest threats. The Splunk Threat Research Team
focuses on understanding how threats, actors, and vulnerabilities work, and the team
[replicates attacks which are stored as datasets in the Attack Data repository.](https://github.com/splunk/attack_data/)

Our goal is to provide security teams with research they can leverage in their day to day
operations and to become the industry standard for SIEM detections. We are a team of
industry-recognized experts who are encouraged to improve the security industry by
sharing our work with the community via conference talks, open-sourcing projects, and
writing white papers or blogs. You will also find us presenting our research at conferences
such as Defcon, Blackhat, RSA, and many more.

[Read more Splunk Security Content.](https://github.com/splunk/security_content)

**Join the Discussion**


-----