T1110.003 Password Spraying Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SprayAccountThreshold = 10;
let BruteForceMaxPerAccount = 5;
let LookbackWindow = 24h;
let SprayWindow = 30m;
// Azure AD / Entra ID password spray detection via SigninLogs
let AzureADSpray = SigninLogs
    | where TimeGenerated > ago(LookbackWindow)
    | where ResultType != "0"
    | where ResultType in (
        "50126",  // Invalid username or password
        "50055",  // Expired password
        "50056",  // Null password in store
        "50064",  // Credentials expired
        "50053",  // Account locked out
        "50057",  // User account disabled
        "50074",  // Strong auth required but not provided
        "50059",  // Tenant not found
        "50076"   // MFA required but not provided
    )
    | where isnotempty(IPAddress) and IPAddress !in ("127.0.0.1", "::1")
    | summarize
        FailureCount = count(),
        DistinctAccounts = dcount(UserPrincipalName),
        TargetAccounts = make_set(UserPrincipalName, 30),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated),
        TargetApps = make_set(AppDisplayName, 10),
        UserAgents = make_set(UserAgent, 5)
      by IPAddress, bin(TimeGenerated, SprayWindow)
    | where DistinctAccounts >= SprayAccountThreshold
    | extend AvgFailuresPerAccount = round(toreal(FailureCount) / toreal(DistinctAccounts), 2)
    | where AvgFailuresPerAccount <= BruteForceMaxPerAccount
    | extend DetectionSource = "AzureAD_SigninLogs";
// On-premises AD password spray detection via Security Event 4625
let OnPremADSpray = SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4625
    | where LogonType in (3, 10)  // Network, RemoteInteractive
    | where IpAddress !in ("-", "", "::1", "127.0.0.1")
    | summarize
        FailureCount = count(),
        DistinctAccounts = dcount(TargetUserName),
        TargetAccounts = make_set(TargetUserName, 30),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated),
        TargetApps = make_set(WorkstationName, 10),
        UserAgents = dynamic([])
      by IpAddress, bin(TimeGenerated, SprayWindow)
    | where DistinctAccounts >= SprayAccountThreshold
    | extend AvgFailuresPerAccount = round(toreal(FailureCount) / toreal(DistinctAccounts), 2)
    | where AvgFailuresPerAccount <= BruteForceMaxPerAccount
    | extend DetectionSource = "OnPremAD_SecurityEvent"
    | project-rename IPAddress = IpAddress;
union AzureADSpray, OnPremADSpray
| sort by DistinctAccounts desc

high severity high confidence

Data Sources

Authentication: Authentication Logs Logon Session: Logon Session Creation Azure Active Directory Sign-in Logs Windows Security Event Log

Required Tables

SigninLogs SecurityEvent

False Positives

Misconfigured service accounts using stale credentials that authenticate against multiple systems simultaneously during a configuration failure event
Authorized penetration testing or red team exercises targeting multiple accounts with common passwords from a designated test IP
ADFS or federated identity proxy services whose single IP proxies authentication for all federated users — these IPs will appear as the source for all federation failures
Vulnerability scanners (Tenable, Qualys, Rapid7) performing authenticated scans with cycling credentials across multiple hosts
Password synchronization failures during Active Directory migrations or forest trust establishment generating bulk 4625 events from the migration service account IP

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| where LogonType="3" OR LogonType="10"
| where IpAddress!="127.0.0.1" AND IpAddress!="-" AND IpAddress!="" AND IpAddress!="::1"
| bucket _time span=30m
| stats
    count as FailureCount,
    dc(TargetUserName) as DistinctAccounts,
    values(TargetUserName) as TargetAccounts,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen,
    values(WorkstationName) as SourceWorkstations
  by IpAddress, _time
| where DistinctAccounts >= 10
| eval AvgFailuresPerAccount=round(FailureCount/DistinctAccounts, 2)
| where AvgFailuresPerAccount <= 5
| eval SprayDurationMinutes=round((LastSeen - FirstSeen) / 60, 1)
| sort - DistinctAccounts
| table _time, IpAddress, FailureCount, DistinctAccounts, AvgFailuresPerAccount, SprayDurationMinutes, TargetAccounts, SourceWorkstations

high severity high confidence

Data Sources

Authentication: Authentication Logs Logon Session: Logon Session Creation Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Misconfigured service accounts with stale credentials cycling authentication failures across multiple systems during an outage or config change
Network vulnerability scanners performing authenticated scans with credentials that have expired or changed
ADFS or reverse proxy infrastructure where a single source IP represents all federated authentications for many users
Load balancers performing health check authentication against multiple backend nodes that simultaneously fail when a password rotation occurs
Domain controllers appearing as source IPs during Kerberos delegation or pass-through authentication cascades

Elastic Security (EQL)

eql

authentication where event.outcome == "failure"
  and winlog.logon.type in ("Network", "RemoteInteractive")
  and source.ip != null
  and source.ip != "127.0.0.1"
  and source.ip != "::1"
  and source.ip != "-"
  and user.name != null
  and user.name != ""
  and user.name != "ANONYMOUS LOGON"
  and user.domain != "NT AUTHORITY"
/* Deploy as Elastic SIEM Threshold Rule:
   - Rule type: Threshold
   - Threshold field: user.name (count_distinct >= 10)
   - Group by: source.ip
   - Time window: 30m
   Covers winlog EventCode 4625, ECS-normalized Azure AD SigninLogs,
   Okta system events, and Linux SSH/PAM failures via system.auth integration.
   To distinguish spray from brute force, correlate alert-time FailureCount
   against DistinctAccounts: flag only where ratio <= 5. */

high severity high confidence

Data Sources

Windows Security Event Log (EventCode 4625 via winlogbeat) Azure Active Directory SigninLogs via Azure integration Okta System Logs via Elastic Okta integration Linux SSH/PAM via Elastic system.auth integration

Required Tables

winlogbeat-* logs-system.auth-* logs-azure.signinlogs-* logs-okta.system-* .ds-logs-windows.*

False Positives

Corporate NAT gateways or PAT devices where hundreds of employees egress through a single external IP — mass simultaneous password expiry events cause legitimate users' failed logons to aggregate under one source address and cross the account threshold
IT service desk platforms (ServiceNow, Jira Service Management) that validate account status or test connectivity on behalf of many users from a shared agent IP, especially during bulk password reset operations or onboarding waves
Security scanning tools (Qualys, Tenable Nessus, Rapid7 InsightVM) executing credentialed authentication checks across Active Directory or LDAP from a fixed scanner IP, hitting many accounts in rapid succession during scheduled scan windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(FLOOR(starttime / 1800000) * 1800000, 'YYYY-MM-dd HH:mm') AS TimeWindow,
  sourceip AS SourceIP,
  COUNT(*) AS FailureCount,
  COUNT(DISTINCT username) AS DistinctAccounts,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
  QIDNAME(qid) AS EventName
FROM events
WHERE (
  (
    LOGSOURCETYPENAME(logsourceid) IN (
      'Microsoft Windows Security Event Log',
      'Microsoft AD Security Event Log',
      'Microsoft Active Directory'
    )
    AND (
      CATEGORYNAME(category) ILIKE '%authentication%'
      OR CATEGORYNAME(subcategory) ILIKE '%logon failure%'
      OR CATEGORYNAME(subcategory) ILIKE '%invalid password%'
    )
  )
  OR CATEGORYNAME(category) = 'Authentication Failure'
  OR (
    LOGSOURCETYPENAME(logsourceid) IN ('Linux OS', 'Linux DHCP', 'SolarWinds Kiwi Syslog')
    AND CATEGORYNAME(subcategory) ILIKE '%failed password%'
  )
)
AND sourceip NOT IN ('127.0.0.1', '::1', '0.0.0.0')
AND sourceip IS NOT NULL
AND username IS NOT NULL
AND username != ''
AND LOWER(username) NOT IN ('anonymous logon', 'nt authority\\anonymous logon')
LAST 24 HOURS
GROUP BY
  FLOOR(starttime / 1800000),
  sourceip
HAVING
  COUNT(DISTINCT username) >= 10
  AND (CAST(COUNT(*) AS FLOAT) / CAST(COUNT(DISTINCT username) AS FLOAT)) <= 5.0
ORDER BY DistinctAccounts DESC

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4625) Microsoft Active Directory / Domain Controllers Linux syslog SSH/PAM authentication failures VPN gateway authentication logs (Cisco ASA, Palo Alto) RADIUS server authentication logs

Required Tables

events

False Positives

Large enterprise networks where all outbound authentication traffic is sourced from a shared egress IP — during organization-wide password expiry enforcement, hundreds of users failing authentication simultaneously will all appear under one source IP and easily exceed the 10-account threshold
Automated monitoring or synthetic transaction systems that test authentication endpoints across multiple service accounts from a single monitoring host IP as part of SLA verification or health checks
Legacy application integrations using NTLM authentication that generate spurious 4625 events before successfully negotiating Kerberos, creating artifically inflated failure counts under infrastructure IPs

Sumo Logic CSE

sql

(_index=sec_record_authentication result="failure"
OR (_sourceCategory=*windows*security* EventCode=4625)
OR (_sourceCategory=*linux*secure* "Failed password"))
| where !isEmpty(srcDevice_ip) OR !isEmpty(IpAddress)
| eval src_ip = if(!isEmpty(srcDevice_ip) AND srcDevice_ip != "-", srcDevice_ip, IpAddress)
| eval acct = if(!isEmpty(user_username), user_username, TargetUserName)
| where !isEmpty(src_ip)
  AND src_ip != "127.0.0.1"
  AND src_ip != "::1"
  AND src_ip != "-"
  AND !isEmpty(acct)
  AND acct != "ANONYMOUS LOGON"
| where LogonType = "3" OR LogonType = "10" OR _index = "sec_record_authentication"
| timeslice 30m
| stats
    count as FailureCount,
    dcount(acct) as DistinctAccounts,
    values(acct) as TargetAccounts,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen,
    values(WorkstationName) as SourceWorkstations
    by src_ip, _timeslice
| where DistinctAccounts >= 10
| eval AvgFailuresPerAccount = round(FailureCount / DistinctAccounts, 2)
| where AvgFailuresPerAccount <= 5
| eval SprayDurationMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| sort by DistinctAccounts desc
| fields _timeslice, src_ip, FailureCount, DistinctAccounts, AvgFailuresPerAccount, SprayDurationMinutes, TargetAccounts, SourceWorkstations

high severity high confidence

Data Sources

Sumo Logic CSE normalized authentication records (_index=sec_record_authentication) Windows Security Event Log via Sumo Logic Windows Collector (EventCode 4625) Linux SSH/PAM via Sumo Logic syslog collector (/var/log/secure) Azure AD SigninLogs via Sumo Logic Azure integration Okta System Logs via Sumo Logic Okta app

Required Tables

sec_record_authentication _sourceCategory=*windows*security* _sourceCategory=*linux*secure*

False Positives

Enterprise SSO or federated identity gateways (Okta RADIUS agent, PingFederate, ADFS proxy) that present a single IP for all authentication requests — their service IP will accumulate failures from many accounts during credential hygiene issues or integration misconfigurations
Authorized red team or penetration testing engagements running password spray assessments against Active Directory or OWA — correlate alert time against the security team's engagement calendar before escalating
Bulk user provisioning and lifecycle management scripts that test authentication for groups of accounts as part of onboarding/offboarding validation, particularly from a shared automation server IP

Google Chronicle / SecOps

yaral

rule password_spraying_t1110_003 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Password spraying: single source IP with authentication failures against 10+ distinct accounts in a 30-minute window"
    mitre_attack_tactic = "TA0006 - Credential Access"
    mitre_attack_technique = "T1110.003 - Password Spraying"
    severity = "HIGH"
    confidence = "HIGH"
    false_positives = "Corporate NAT gateways, identity proxy services, authorized red team engagements"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "BLOCK"
    $ip = $e.principal.ip
    $user = $e.target.user.userid
    not $ip = "127.0.0.1"
    not $ip = "::1"
    $ip != ""
    $user != ""
    not $user = "ANONYMOUS LOGON"

  match:
    $ip over 30m

  condition:
    #e >= 10 and #user >= 10

  outcome:
    $risk_score = max(85)
    $attacker_ip = array_distinct($e.principal.ip)
    $affected_accounts = array_distinct($e.target.user.userid)
    $target_applications = array_distinct($e.target.application)
    $source_hostnames = array_distinct($e.principal.hostname)
    $total_failure_count = count($e.metadata.id)
}

high severity high confidence

Data Sources

Google Workspace Login Activity (via Chronicle native ingestion) Azure AD / Entra ID SigninLogs (via Chronicle Azure AD integration) Okta System Logs (via Chronicle Okta integration) Windows Security Events forwarded via Chronicle forwarder (EventID 4625) On-premises Active Directory Domain Controllers

Required Tables

USER_LOGIN UDM events

False Positives

Cloud-based zero-trust network access proxies (Zscaler, Prisma Access, Cloudflare Access) where the entire workforce authenticates through a small pool of fixed gateway IPs — failed authentications from many users accumulate under infrastructure addresses and may cross the 10-account threshold during routine credential expiry
Identity federation services (Azure AD B2C, ADFS proxy, Shibboleth SP) that forward authentication attempts on behalf of users, presenting the service's IP rather than the end-user's source address in UDM principal.ip
Authorized red team engagements using Chronicle-visible identity providers as spray targets — cross-reference alert timestamp against the security team's active test calendar before escalating to incident response

CrowdStrike LogScale (CQL)

cql

// CrowdStrike LogScale: Password Spray Detection
// Source: Falcon endpoint UserLogonFailed2 events (network and remote interactive logon types)
#event_simpleName = UserLogonFailed2
| LogonType in ["3", "10"]
| IpAddress != "127.0.0.1"
| IpAddress != "::1"
| IpAddress != "-"
| IpAddress != ""
| UserName != ""
| UserName != "ANONYMOUS LOGON"
| bucket(span=30m)
| groupBy(
    [IpAddress, _bucket],
    function=[
      count(as=FailureCount),
      count(field=UserName, distinct=true, as=DistinctAccounts),
      collect(field=UserName, limit=30, as=TargetAccounts),
      collect(field=ComputerName, limit=20, as=TargetHosts),
      min(field=@timestamp, as=FirstSeen),
      max(field=@timestamp, as=LastSeen)
    ]
  )
| DistinctAccounts >= 10
| AvgFailuresPerAccount := FailureCount / DistinctAccounts
| AvgFailuresPerAccount <= 5
| SprayDurationSeconds := LastSeen - FirstSeen
| sort(DistinctAccounts, order=desc)
| table([
    _bucket, IpAddress, FailureCount, DistinctAccounts,
    AvgFailuresPerAccount, SprayDurationSeconds,
    TargetAccounts, TargetHosts, FirstSeen, LastSeen
  ])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor (UserLogonFailed2 events on Windows endpoints) Windows Security Events forwarded via Falcon LogScale Collector (EventCode 4625) CrowdStrike Falcon Identity Protection (if licensed, provides IdP-level spray visibility)

Required Tables

#event_simpleName=UserLogonFailed2

False Positives

Jump servers and privileged access workstations (PAWs) used by multiple administrators — all RDP and network logon failures from many admin accounts appear sourced from the jump host's IP rather than the originating workstation, easily crossing the 10-account threshold during normal helpdesk activity
VDI infrastructure (Citrix Virtual Apps, VMware Horizon) where many user desktop sessions originate from a small pool of broker or hypervisor management IPs — failed logons from VDI users consolidate under infrastructure addresses in Falcon telemetry
Endpoint visibility gaps where Falcon is not deployed on domain controllers or authentication servers mean that network-level spray against OWA, ADFS, or RADIUS will not generate UserLogonFailed2 events and will be missed by this query — use the forwarded Windows Security Event variant for complete coverage

Password Spraying

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections