Password Spraying Detection In Active Directory
Query
// Password Spraying Detection in Active Directory
// https://www.semperis.com/blog/password-spraying-detection-in-active-directory/
// Event ID 4625
// Mitre ATT&CK T1110
Anomalies
| where TimeGenerated > ago(1d)
| where RuleName == "Attempted user account bruteforce per logon type"
or RuleName == "Attempted user account bruteforce"
| where Score > 0.5Explanation
This query is designed to detect password spraying attacks in Active Directory by looking for specific anomalies in security events. Here's a simple breakdown:
- Time Frame: It looks at events generated in the last day (
TimeGenerated > ago(1d)). - Event Type: It filters for events where the rule name indicates an attempted brute force attack on user accounts (
RuleName == "Attempted user account bruteforce per logon type"orRuleName == "Attempted user account bruteforce"). - Severity: It only considers events with a score greater than 0.5 (
Score > 0.5).
In summary, this query identifies significant brute force attack attempts on user accounts within the past day.
