Password Spraying Detection Script - PowerShell Security

What This Script Detects

Password Spraying (MITRE ATT&CK T1110.003) is a brute-force technique where attackers attempt common passwords against many accounts to avoid lockout thresholds. This script detects suspicious authentication failure patterns across multiple accounts from single sources.

Attack Overview

Target: All domain user accounts with weak passwords
Pattern: 1-2 password attempts per account across hundreds/thousands of accounts
Impact: Initial foothold, 2-5% success rate in unprotected environments
Detection: 🟢 Easy (Event ID 4625/4771 correlation)

Detection Indicators

Multiple failed logon attempts (Event ID 4625/4771) across MANY different accounts
Same source IP or hostname
Short timeframe (10+ accounts within 60 minutes)
Excludes legitimate service account patterns

The Script

How to Use

.\Detect-PasswordSpraying.ps1 -HoursToCheck 24 -Threshold 10

Related Resources

Password Spraying Mitigation
Kerberoasting Detection