Skip to main content
Splunk Lantern

Detecting password spraying attacks within Active Directory environments


In a password spraying attack, attackers use one or a small list of commonly used or popular passwords against a large volume of usernames to acquire valid account credentials. This tactic can be used to obtain an initial access to an environment, and can also be used to escalate privileges when access has been already achieved.

In some scenarios, password spraying capitalizes on the password rotation security policies implemented by most organizations. As users change their passwords, it is possible that some pick predictable or seasonal passwords that match commonly used passwords on the attacker's password lists.

These searches detect possible password spraying attacks against Active Directory environments, using Windows Event Logs in the Account Logon and Logon/Logoff Advanced Audit Policy categories. The searches help identify instances where one source user, source host, or source process attempts to authenticate against a target or targets using an unusually high number of unique users, which is not common behavior for legitimate systems.

​Data required

  • Microsoft
    • Active Directory audit data
    • Windows event logs

How to use Splunk software for this use case

To deploy this use case, make sure that you have the Splunk ES Content Updates installed on your Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. If you do not have Splunk Enterprise Security, these detections will still give you an idea of what you can accomplish with SPL in the Splunk platform or with the free app, Splunk Security Essentials.

Some of the detections that can help you with this use case include:

Multiple user metrics

Unusual count metrics

Next steps

Possible false positive scenarios include vulnerability scanners, remote administration tools, multi-user systems and misconfigured systems. You should spot these when first implementing the detection and add them to an allow list or lookup table.

These additional Splunk resources might help you understand and implement this use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at if you require assistance.