{
	"id": "57a3bf56-71b1-40b2-a7cb-4d9f1b6ccc2f",
	"created_at": "2026-04-06T00:20:10.523431Z",
	"updated_at": "2026-04-10T03:21:02.33589Z",
	"deleted_at": null,
	"sha1_hash": "1bef1fd21b8d5f0a6dd3200c7f2af516428fe803",
	"title": "Trimarc Research: Detecting Password Spraying with Security Event Auditing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 595117,
	"plain_text": "Trimarc Research: Detecting Password Spraying with Security\r\nEvent Auditing\r\nBy Sean Metcalf\r\nPublished: 2017-02-10 · Archived: 2026-04-05 21:34:18 UTC\r\nA common method attackers leverage as well as many penetration testers and Red Teamers is called \"password\r\nspraying\". Password spraying is interesting because it’s automated password guessing. This automated password\r\nguessing against all users typically avoids account lockout since the logon attempts with a specific password are\r\nperformed against against every user and not one specific one which is what account lockout was designed to\r\ndefeat. The attacker starts with a list list of passwords they're going to try which starts with the most likely\r\npasswords (\"Fall2017\", \"Winter2018\", etc).\r\nWhen password spraying begins, we start with the first password in the list. That first password is used in an\r\nattempt to authenticate as every user in Active Directory. This one password is attempted against each AD user\r\nand once all users have been tested with that password, we move on to the next one.\r\nSince the Active Directory user lockout threshold is 5, we can try 4 different passwords for every user. Then we\r\nwait for \u003e30 minutes (lockoutobservationwindow where the DCs keep the lockout count, after this it resets to 0),\r\nand try again. It's trivial to gather the information about the AD environment's password policy and have the\r\npassword spraying tool automatically adjust to them.\r\nGraphic shows the Domain Password Policy for the lab domain environment using the AD PowerShell cmdlet\r\nGet-ADDefaultDomainPasswordPolicy cmdlet.\r\nThis works most of the time because users have bad passwords (especially if the password policy includes a\r\npassword minimum of \u003c10 characters). Often password spraying connects to an SMB share or a network service,\r\nso let’s start with connections to the PDC's netlogon share (\\\\PDC\\NETLOGON) which is common on many\r\nnetworks. After password spraying has run for a while, we have discovered many user passwords, which may also\r\ninclude privileged accounts.\r\nhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\r\nPage 1 of 5\n\nGraphic shows Password Spraying with a quick PowerShell script I wrote.\r\nPassword spraying against SMB on a Domain Controller results in event ID 4625 \"logon failure\" being logged on\r\nthe DC and most organizations are logging that so when this happens, it should be detected.\r\nGraphic shows event ID 4625 logged on the Domain Controller while password spraying.\r\nHowever, many organizations haven't created correlation rules that state if x number of 4625 events occur within y\r\ntime frame that password spraying is happening.\r\nhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\r\nPage 2 of 5\n\nGraphic shows numerous 4625 event IDs logged in the lab domain environment while password spraying.\r\nThere is another way to discover password spraying in Active Directory. Every user account has an associated\r\nattribute named \"\"Bad-Password-Time\" which is shown as \"lastbadpasswordattempt \" when using the Active\r\nDirectory PowerShell cmdlet Get-ADUser. This attribute displays the date and time of the last bad password\r\nattempted for the account. Running the following PowerShell cmdlet shows the users in the AD domain with the\r\nattributes relating to bad password attempts.\r\nget-aduser -filter * -prop lastbadpasswordattempt,badpwdcount | select name,lastbadpasswordattempt,ba\r\nGraphic shows AD user accounts with the lastbadpasswordattempt \u0026 badpwdcount attributes in the lab domain\r\nenvironment after password spraying.\r\nLooking at the results of the PowerShell command shown above, all of the bad password attempts are within the\r\nsame minute and most are within seconds of each other. That’s unusual.\r\nThe attacker can avoid event ID 4625 from being logged by changing the service they connect to, so instead of\r\nconnecting to SMB, we connect to the LDAP service on a Domain Controller. What happens? No more 4625\r\nevents are logged.\r\nGraphic shows the lack of event ID 4625 when password spraying against LDAP.\r\nA lot of organizations are monitoring for 4625 events, but if we connect to the LDAP service for password\r\nspraying, no 4625 events are logged. Kerberos logging needs to be enbled to log event ID 4771 and monitor for\r\n\"Kerberos preauthentication failed\". In the event id 4771 there's a failure code set to \"0x18\" which means bad\r\npassword.\r\nGraphic shows event ID 4771 which is logged when Kerberos logging is enabled on the Domain Controllers when\r\npassword spraying against LDAP.\r\nhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\r\nPage 3 of 5\n\nWhen password spraying on a domain-joined computer, event ID 4648 is logged (\"a logon was attempted using\r\nexplicit credentials\") when the attacker is running password spraying on this system. There are numerous 4648\r\nevents showing that Joe User logged on and attempted to use the credentials for \"Alexis Phillips\" or \"Christopher\r\nKelley\" or whomever and these are logged within seconds of each other. This type of activity is unusual.\r\nThe following four graphics shows event ID 4648 logged on the workstation where password spraying was\r\nperformed. Audit logging must be enabled for this event ID to be logged.\r\nConfiguring Password Spraying Detection:\r\nPassword spraying happens in many AD environments and can be detected with the appropriate logging enabled\r\nand effective correlation. The primary methods for detection include:\r\nEnable appropriate logging:\r\nDomain Controllers: \"Audit Logon\" (Success \u0026 Failure) for event ID 4625.\r\nhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\r\nPage 4 of 5\n\nDomain Controllers: \"Audit Kerberos Authentication Service\" (Success \u0026 Failure) for event ID 4771.\r\nAll systems: \"Audit Logon\" (Success \u0026 Failure) for event ID 4648.\r\nConfigure alerts for \u003e50 4625 events within 1 minute.\r\nConfigure alerts for \u003e50 4771 events with failure code=0x18 within 1 minute.\r\nConfigure alerts for \u003e100 4648 events on workstations within 1 minute.\r\nWrite a PowerShell script that runs every day and reports on potential password spraying. The following\r\ncommand provides the required information.\r\nget-aduser -filter * -prop lastbadpasswordattempt,badpwdcount | select name,lastbadpasswordattempt,ba\r\nEach of these alerting rules need to be tuned for your environment by increasing the number of alerts threshold\r\nand/or reducing the timeline.\r\nTrimarc provides leading expertise in security solutions including security reviews, strategy, architecture, and\r\nimplementation. Our methodology leverages our internal research and custom tooling which better discovers\r\nmultiple security issues attackers could exploit to compromise the environment. Trimarc security services fit\r\nbetween traditional compliance/audit reviews and standard penetration testing/red teaming engagements,\r\nproviding deep understanding of Microsoft technologies, typical security issues and misconfigurations, and\r\nprovide recommendations based on our own best practices custom-tailored to balance operational and security\r\nchallenges.\r\nSource: https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditi\r\nng\r\nhttps://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing"
	],
	"report_names": [
		"Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bef1fd21b8d5f0a6dd3200c7f2af516428fe803.pdf",
		"text": "https://archive.orkl.eu/1bef1fd21b8d5f0a6dd3200c7f2af516428fe803.txt",
		"img": "https://archive.orkl.eu/1bef1fd21b8d5f0a6dd3200c7f2af516428fe803.jpg"
	}
}