Encient

Detecting Password Spraying

Encient

Cybersecurity Cheatsheets
Cybersecurity Cheatsheets
- DFIR
  DFIR
  - 🔍 Detecting Active Directory Attacks Using Splunk (in progress)
    🔍 Detecting Active Directory Attacks Using Splunk (in progress)
    
    Detecting Common User/Domain Recon
    
    Detecting Password Spraying Detecting Password Spraying
    Table of contents
    
    Password Spraying Windows Event ID
    
    Splunk Query
  - 🔍 Volatility 2 & 3 Cheatsheet
CTF Writeups
CTF Writeups
- 2023
  2023
  - ABOH 2023
    ABOH 2023
    
    [ About ]
    
    Fur Elise
    
    SCP 2.0
  - GOH 2023
    GOH 2023
    
    [ About ]
    
    Clone
    
    The Realm of Eerie-Area
  - GCTF 2023
    GCTF 2023
    
    [ About ]
    
    RSA
    
    Broken
    
    Wireshark 1
    
    Wireshark 2
    
    History
    
    KB
    
    Frequency
    
    Office
    
    Master Hidden Within the Slides
    
    PNG
- 2024
  2024
  - Wicked 6
    Wicked 6
    
    Haiku
    Haiku
    
    Enumeration and Escalation
    
    HTB
    HTB
    
    [ About ]
    
    Cash Me Ousside
    
    Almanac
    
    Number Cruncher
  - iHack 2024
    iHack 2024
    
    [ About ]
    
    Covert
    
    Memory
    
    Mystery File
  - GCTF 2024
    GCTF 2024
    
    [ About ]
    
    Blockchain
    Blockchain
    
    Allowance
    
    Cryptography
    Cryptography
    
    Warmup Salsa Sauce
    
    Warmup Cipher
    
    Overflow Resources
    
    Forensics
    Forensics
    
    QNA
    
    Fox Secrets
    
    Olivia's Boxter
    
    Stop Slacking Off
    
    MFTBasics
    
    Misc
    Misc
    
    I Forgot
    
    Find Me 1
    
    Find Me 2
    
    DevOps 101
    
    Dev(Sec?)Ops
    
    RE
    RE
    
    Phone Siapa Ni?
    
    Gopher-chan
    
    Web
    Web
    
    Rainbow I
    
    Rainbow II
    
    Pwn
    Pwn
    
    Ret2Win I
HTB Sherlocks (In Progress)
HTB Sherlocks (In Progress)
- Easy
  Easy
  - Easy1
- Medium
  Medium
  - Medium1
- Hard
  Hard
  - Hard1
Blog
Blog
- Archive
  Archive
  - 2025
  - 2024
  - 2023
- Categories
  Categories
  - Cloud
  - DFIR
  - Event
  - Honeypot
  - RE
  - Technical
  - Volatility

Detecting Password Spraying

Password Spraying Windows Event ID¶

Password spraying activity will create multiple failed logon attempts from different user accounts from the same source IP address within a short period of time. Therefore, we can search for Event ID 4625 - Failed Logon for potential password spraying attempts.

Splunk Query¶

index=main source="WinEventLog:Security" EventCode=4625
| bin span=15m _time
| stats values(user) as Users, dc(user) as dc_user by src, Source_Network_Address, dest, EventCode, Failure_Reason