Password spraying detection in Active Directory: what teams miss

At a glance

What this is: This article explains how password spraying works in Active Directory and why delayed attempts, Kerberos pre-authentication, and randomized intervals can evade basic detection.

Why it matters: IAM teams need to treat password spraying as an identity telemetry problem, not just a password policy problem, because noisy but distributed guessing can bypass threshold-based controls.

By the numbers:

• Lightning IRP typically needs 7 to 10 days to learn the patterns of an environment through behavior analysis.
• Event 4771 can expose Kerberos pre-authentication failures with hex value 0x18, which indicates an incorrect password was entered.

👉 Read Semperis's analysis of password spraying detection in Active Directory

Context

Password spraying is a distributed guessing attack that tests a small set of common passwords across many accounts instead of hammering a single account. In Active Directory, that pattern is dangerous because authentication telemetry can look like ordinary user noise until multiple failures are correlated over time.

The NHI governance lesson is straightforward: identity systems need detection logic that understands sequence, timing, and authentication path, not just failed-login counts. For a broader NHI lifecycle and control view, the Ultimate Guide to NHIs and the NHI Lifecycle Management Guide are useful reference points for visibility, rotation, and access review.

Key questions

Q: How should security teams detect password spraying in Active Directory?

A: Security teams should detect password spraying by correlating low-volume login failures across many accounts, not just repeated failures on one user. Monitor timing gaps, source reuse, and Kerberos pre-authentication failures such as Event 4771. Effective detection combines threshold rules, behavioural baselines, and investigation workflows that treat distributed guessing as a domain-wide identity event.

Q: Why do password spraying attacks evade common lockout controls?

A: Password spraying evades common lockout controls because each account receives only a few guesses, which keeps the attacker below per-account thresholds. The attack works by spreading attempts across many identities and stretching them over time, so the signal looks like normal background authentication noise unless defenders correlate activity across the directory.

Q: What is the difference between password spraying and brute force attacks?

A: Password spraying uses a small set of common passwords against many accounts, while brute force attacks focus on many password guesses against one account. Spraying is usually quieter and less likely to trigger lockouts, which makes cross-account correlation and authentication-path monitoring more important than simple failure counts.

Q: When does password spraying become a high-risk identity issue?

A: Password spraying becomes high risk when an organisation has weak password hygiene, incomplete Kerberos monitoring, or insufficient visibility across accounts. In that state, one successful guess can create a valid foothold that the attacker can use for lateral movement or privilege escalation, turning a low-cost attack into broad identity compromise.

Technical breakdown

How password spraying bypasses Active Directory lockout assumptions

Password spraying works because the attacker keeps each account below common lockout thresholds while cycling through many identities. In Active Directory, that means the attacker can query account information and distribute attempts across users, making the activity blend into normal authentication noise. The timing matters as much as the password list. When attempts are spaced out, defenders lose the obvious burst pattern that simple alerting often depends on. This is a classic gap between policy design and runtime detection.

Practical implication: Detect spread-out failure patterns across many accounts, not only repeated failures on a single account.

Kerberos pre-authentication and Event 4771 signals

Kerberos pre-authentication changes what appears in the logs. Instead of the more familiar logon failure events, defenders may see Kerberos pre-authentication failures, often with Event ID 4771 and a status that maps to an incorrect password. That creates a monitoring problem: teams that only watch standard bad-password events will miss an attack path that still generates identity telemetry. The control failure is not the protocol itself, but the assumption that one event family captures all authentication abuse.

Practical implication: Add 4771 monitoring and correlate it with account targeting patterns across the domain controller.

Randomized delays and anomaly-based detection in NHI monitoring

Randomized delays are a simple evasion trick because they break fixed thresholds and timing signatures. That is why anomaly-based identity monitoring is more effective than static count-based rules alone. Behaviour models can learn what normal authentication cadence looks like and then flag irregular sequences even when each individual attempt seems harmless. The article’s runtime protection example shows that the detection challenge is not just volume, but shape and tempo of activity across the environment.

Practical implication: Use behaviour-based detections to supplement threshold rules, especially where attackers can vary timing.

Threat narrative

Attacker objective: The attacker wants a low-noise authenticated foothold in Active Directory that can be used for further access and lateral movement.

1. Entry occurs through distributed password guesses across many Active Directory accounts, often with delays that keep each user below lockout thresholds.
2. Escalation follows when a single weak credential succeeds and the attacker gains an authenticated foothold inside the domain.
3. Impact is expanded access to identity systems and downstream resources, because the attacker can pivot from a valid account into broader enterprise exposure.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Password spraying is an identity governance failure, not just an authentication nuisance. The attack succeeds when defenders rely on per-account thresholds and miss cross-account correlation. That means IAM monitoring has to treat distributed guessing as an identity-risk pattern across the directory, not a single login anomaly. Practitioners should design detections around account fan-out and timing.

Timing variance creates an identity blast radius problem: once an attacker can spread attempts across many users, the control surface moves from individual credentials to the whole authentication graph. Static lockout logic remains necessary, but it is not sufficient when the attacker shapes traffic to look ordinary. Teams should measure how much attack volume can traverse their environment before detection.

Kerberos telemetry gaps are where many defenders lose the trail. If monitoring concentrates only on the most obvious failed-logon events, password spraying through pre-authentication will be undercounted. That is a logging design issue as much as a detection issue. Security operations should align directory telemetry, alert tuning, and account review workflows so that 4771 failures feed the same investigation path as standard bad-password signals.

Password spraying exposes the gap between policy and observability. Strong password rules help, but they do not replace visibility into how credentials are being tested across the environment. The operational mistake is assuming that prevention alone will stop distributed attack behavior. Practitioners should pair policy enforcement with correlation, baselining, and response playbooks for domain-wide guessing.

Directory identity remains a high-value NHI target because it aggregates trust. Once a sprayed credential works, the attacker inherits whatever entitlements the account already has, which can make a low-complexity attack produce a high-impact result. That is why password hygiene, telemetry, and privilege review must be treated as one control family rather than separate projects. Teams should reduce the chance that one weak account becomes enterprise access.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Forward-looking: Review NHI Lifecycle Management Guide to close lifecycle gaps that password-only controls cannot address.

What this signals

Identity teams should treat detection quality as a governance metric. If password spraying can blend into ordinary authentication activity, then alert fidelity and telemetry coverage become part of access control, not separate SOC concerns. That is where NHI governance and IAM operations converge, especially when directory events are the only early signal.

With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the same blast-radius logic that applies to service accounts also applies to compromised user identities in hybrid environments. The practical lesson is to reduce the amount of trust any single credential can inherit after a successful spray.

Security programmes that still rely on static password policy alone will keep missing the attacker’s real advantage, which is low-noise scale. Teams should prepare for detection logic that spans authentication protocols, directory logs, and response workflows rather than assuming one control layer will be enough.

For practitioners

• Correlate failures across accounts and time windows Build detections that flag low-volume attempts distributed across many users within the same source, subnet, or authentication path. Focus on spread and cadence, not just repeated failures on one identity.
• Monitor Kerberos pre-authentication failures explicitly Add Event 4771 to alerting and investigation workflows, then correlate those events with account targeting patterns and source IP repetition. Treat incorrect-password indicators as first-class identity telemetry.
• Tune lockout and password policies together Use default domain policy and fine-grained password policies to enforce strong passwords and appropriate lockout behaviour without creating avoidable help desk noise. Review whether temporary or permanent lockout is the better fit for high-risk accounts.
• Reduce weak-password exposure at creation time Deploy password protection controls that block common or previously breached passwords before they enter the directory. Preventive controls matter because spraying is far easier when user-chosen passwords are predictable.

Key takeaways

• Password spraying is effective because it distributes guesses across accounts, making simple lockout logic an incomplete defence.
• Kerberos pre-authentication failures and timing patterns matter because they reveal attacks that ordinary failed-logon dashboards may miss.
• Teams should combine strong password controls with directory-wide correlation, behavioural detection, and account lifecycle hygiene.

Key terms

• Password Spraying: Password spraying is a credential attack that tries a small set of common passwords across many accounts. The goal is to avoid lockouts and noise while still finding one weak password that opens an authenticated foothold in the environment.
• Kerberos Pre-authentication: Kerberos pre-authentication is an early authentication step used by Active Directory to validate a login attempt before issuing a ticket. Failed attempts can produce distinct telemetry such as Event 4771, which defenders should monitor alongside standard bad-password signals.
• Authentication Correlation: Authentication correlation is the practice of linking login failures, source patterns, and timing across many identities to reveal attacks that look harmless in isolation. It is essential when adversaries spread attempts across users to stay below lockout thresholds.
• Identity Blast Radius: Identity blast radius is the amount of access an attacker can gain after compromising one credential. In practice, it is shaped by privilege scope, account hygiene, and how quickly teams can detect and revoke access after a successful spray.

Deepen your knowledge

Password spraying detection and identity telemetry are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building directory monitoring and governance from a similar starting point, it is worth exploring.

This post draws on content published by Semperis: Password Spraying Detection in Active Directory. Read the original.