How to Prevent Password Spraying Attacks on Active Directory Accounts

Password spraying is a stealthy technique where attackers try a small number of common passwords across many Active Directory user accounts, aiming to avoid detection by evading account lockouts. Attackers often gather usernames from Active Directory, then attempt authenticating with known or guessed passwords derived from public wordlists or environment-specific information, such as reused passwords. Success means control over the user account and all its access rights, posing a significant risk.

Malicious actors also scan file shares for unsecured secrets like Active Directory credentials. Tools such as SMBMap and Snaffler help locate cleartext passwords, API keys, certificates, and backups — prime targets for privilege escalation and lateral movement without raising suspicion through brute force methods like Kerberoasting or password spraying.

Using enterprise-grade password management solutions to securely store credentials is essential. Regular internal scans help detect sensitive information stored inappropriately on file shares, further reducing risk.

Account lockout policies help block brute-force password attempts by locking accounts after a defined number of failed logins. However, password spraying works around this by attempting only a few tries per account to avoid lockouts. Tools like DomainPasswordSpray and Spray intelligently test authentication attempts below these thresholds, often spacing attempts to evade detection.

The Built-in Administrator Account: A High-Value Target

Every Active Directory domain has a built-in Administrator account, a powerful user object part of Domain Admins and Enterprise Admins groups. Unlike other accounts, it is exempt from lockout policies—if locked out, a correct password resets the lock and failed attempt counters. This makes it an irresistible target for attackers to spray with multiple passwords indefinitely.

To protect this account, set a long (minimum 30 characters), unique, and unpredictable password. Treat this account as a break-glass emergency only and monitor all authentication events related to it for suspicious activity. Additional measures include marking it as sensitive to prevent delegation and restricting where it can be used.

Practical Mitigations Against Password Spraying

• Use long, unique, and unpredictable passwords for local admins, service accounts, and break-glass accounts. Microsoft’s Local Administrator Password Solution (LAPS) is a great tool for managing local admin passwords.
• Enforce passwords with at least 15 characters consisting of four random words for single-factor authentication accounts.
• Lock user accounts (except break-glass accounts) after five failed login attempts to reduce attack surface.
• Randomly generate passwords for new or reset accounts to avoid reuse.
• Configure the built-in Administrator account as sensitive.
• Scan networks monthly for cleartext credentials and remove them promptly.
• Disable NTLM authentication where possible, since it bypasses MFA protections; if NTLM is necessary, enable LDAP channel binding, extended protection authentication, and SMB signing.

Detecting Password Spraying Using Event Logs

Password spraying generates numerous failed login events over a short period. Effective detection relies on monitoring these events and correlating them to suspicious activity patterns. Attackers often use SMB and LDAP protocols, so logs from both must be collected and analyzed.

Event ID	Source	Description
2889	Domain Controllers	Indicates unsigned LDAP bind attempts; many in a short time may suggest LDAP-based password spraying.
4624	Domain Controllers	Successful logon event; when close in time to multiple failures, it may indicate a successful password spray.
4625	Domain Controllers	Failed SMB protocol logon attempts; spikes could mean SMB password spraying in progress.
4648	Source System	Logon attempts using explicit credentials; many in a short time with different usernames may suggest spraying.
4740	Domain Controllers	User account lockout event; multiple lockouts in a short window could point to password spraying.
4771	Domain Controllers	Kerberos pre-authentication failure, with failure code 0x18 indicating wrong password; may signal LDAP spraying.

Additionally, querying the badPasswordTime attribute for multiple accounts sharing identical or near-identical timestamps can reveal coordinated spraying attempts.