title: Password Spraying via Explicit Credentials
id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9
status: unsupported
description: Detects a single user failing to authenticate to multiple users using explicit credentials.
references:
    - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
author: Mauricio Velazco, Zach Mathis
date: 2021/06/01
modified: 2023/02/24
tags:
    - attack.t1110.003
    - attack.initial_access
    - attack.privilege_escalation
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4648
    filter:
        SubjectUserName|endswith: '$' # There will be much noise from computer accounts to UMFD-0, DWM-1, etc...
    timeframe: 1h
    condition: selection and not filter | count(TargetUserName) by SubjectUserName > 10
falsepositives:
    - Terminal servers
    - Jump servers
    - Other multiuser systems like Citrix server farms
    - Workstations with frequently changing users
level: medium