KQL Search

Query Details

HomeAI ToolsDevice Query

Password Spraying Detection In Active Directory

Query

// Password Spraying Detection in Active Directory
// https://www.semperis.com/blog/password-spraying-detection-in-active-directory/

// Event ID 4625
// Mitre ATT&CK T1110

Anomalies
| where TimeGenerated > ago(1d)
| where RuleName == "Attempted user account bruteforce per logon type"
or RuleName == "Attempted user account bruteforce"
| where Score > 0.5

Explanation

This query is designed to detect password spraying attacks in Active Directory by looking for specific anomalies in security events. Here's a simple breakdown:

  1. Time Frame: It looks at events generated in the last day (TimeGenerated > ago(1d)).
  2. Event Type: It filters for events where the rule name indicates an attempted brute force attack on user accounts (RuleName == "Attempted user account bruteforce per logon type" or RuleName == "Attempted user account bruteforce").
  3. Severity: It only considers events with a score greater than 0.5 (Score > 0.5).

In summary, this query identifies significant brute force attack attempts on user accounts within the past day.

Details

Steven Lim profile picture

Steven Lim

Released: September 19, 2024

Tables

Anomalies

Keywords

AnomaliesActiveDirectoryUserSecurity

Operators

|>ago()==or

Actions