In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential Password Spraying attack, understand the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• The necessary audit policies to generate logon failure events must be enabled on all Domain Controllers. This includes policies for Audit Kerberos Authentication Service (for Event IDs 4768, 4771) and Audit Credential Validation (for Event IDs 4625, 4776).

Steps to follow  

The process for handling a Password Spraying attack involves detection, immediate remediation, and prevention.

Part 1: Detecting the attack  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > Password spray.

2. This report shows all detections of a high volume of logon failures across multiple user accounts originating from a single machine.

Part 2: Understanding the detection criteria  

ADAudit Plus detects a potential password spraying attack based on the following pattern:

• Description: An attacker makes multiple login attempts against many different user accounts from the same machine in a short period, using a small number of common passwords. This method is designed to avoid locking out individual accounts.

• Detection Logic:

• Any of the following four events are detected 10 times within 5 minutes from the same machine against different existing AD users.

• Event 1:

• Event code equals 4771 (Kerberos pre-authentication failed).

• Failure code equals 0x18 (Bad password).

• Account name does not end with $.

• Event 2:

• Event code equals 4625 (An account failed to log on).

• Sub Status equals 0xC000006A (Wrong password).

• Account name does not end with $.

• Event 3:

• Event code equals 4768 (A Kerberos authentication ticket (TGT) was requested).

• Result code equals 0x18 (Bad password).

• Account name does not end with $.

• Event 4:

• Event code equals 4776 (The computer attempted to validate the credentials for an account).

• Result code equals 0xC000006A (Wrong password).

• Logon Account does not end with $.

Part 3: Immediate remediation  

If this activity is detected, act immediately to stop the attack.

1. Block the Source IP Address: The event logs and the ADAudit Plus report will show the source machine/IP address. Immediately block this IP address at your network firewall to stop the attack.

2. Investigate the Source: If the source IP address is internal, it indicates a compromised machine on your network. Isolate the machine and perform a forensic analysis.

3. Review for Successful Logons: The detection is for failed logons. It is critical to immediately review logon reports for any successful logons from the same source IP around the same time. If a success is found, that account is compromised.

4. Remediate Compromised Accounts: If any successful logon was found as part of the spray, immediately disable the compromised account and force a secure password reset.

Validation and confirmation  

• After blocking the source IP, the Password Spraying report in ADAudit Plus should show a cessation of the attack from that source.

• Network logs should confirm that traffic from the malicious IP is being dropped.

• Review of logon reports should confirm no further suspicious successful or failed logons from the source.

Tips  

The following best practices can help prevent and mitigate password spraying attacks.

Enforce Strong Password Policies  

• This is the primary defense. Enforce policies that ban common and easily guessable passwords and require a high degree of complexity and length. This makes it much harder for an attacker's short list of common passwords to succeed.

Secure Internet-Facing Services with MFA  

• Password spraying is most common against external-facing services like VPNs and OWA. Implementing Multi-Factor Authentication (MFA) on these services is the most effective control, as a correct password alone is not enough to gain access.

Use Smart Lockout or Intrusion Detection  

• While attackers try to avoid standard account lockout policies, modern solutions like Azure AD Smart Lockout or on-premises Intrusion Prevention Systems (IPS) can detect and block password spraying patterns by tracking failed logons across multiple accounts from a single source.

Network Security  

• Use a Web Application Firewall (WAF) to detect and block password spraying attempts against web applications.

• Restrict access to management ports (like RDP and WinRM) from the internet.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus