Brute Force: Password Spraying `T1110.003`

Tactic: Credential Access

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

Events covered

10 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Security-Auditing	Event ID 4624	An account was successfully logged on.
Security-Auditing	Event ID 4625	An account failed to log on.
Security-Auditing	Event ID 4648	A logon was attempted using explicit credentials.
Security-Auditing	Event ID 4723	An attempt was made to change an account's password.
Security-Auditing	Event ID 4724	An attempt was made to reset an account's password.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4771	Kerberos pre-authentication failed.
Security-Auditing	Event ID 4776	The domain controller attempted to validate the credentials for an account.
Defender-DeviceLogonEvents	LogonSuccess	Logon succeeded
Defender-DeviceLogonEvents	LogonFailed	Logon failed

Authoring guide

Patterns shared across the 81 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (119 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventID`	24	`eq` 23, `in` 1	`4625`, `8004`, `4768`, `4776`, `4648`
`Channel`	21	`eq` 21, `in` 16
`sourcetype`	19	`eq` 19	`azure:monitor:aad`, `XmlWinEventLog:Microsoft-Windows-NTLM/Operational`, `aws:cloudtrail`, `gws:reports:login`, `o365:management:activity`
`EventType`	17	`eq` 9, `in` 8, `starts_with` 4	`ssh_login`, `user.authentication.`, `user.session.start`, `user_login`, `logon-failed`
`eventtype`	16	`eq` 16
`data_stream.dataset`	15	`eq` 14, `in` 1	`okta.system`, `azure.signinlogs`, `o365.audit`, `azure.identity_protection`
`isOutlier`	14	`eq` 14	`1`
`unique_accounts`	12	`gt` 12	`30`, `10`, `20`, `9`
`Status`	10	`eq` 10	`0x12`, `0x18`, `0x6`, `0xC000006A`, `0xc0000064`
`TargetUserName`	10	`ne` 10	`*$`
`LogonType`	9	`eq` 8, `ne` 1	`Network`, `Interactive`, `Unlock`
`event.category`	9	`eq` 9	`authentication`
`src_ip`	8	`is_not_null` 5, `ne` 4, `cidr_match` 1	`-`, `0.0.0.0`, `10.0.0.0/8`, `100.64.0.0/10`, `127.0.0.0/8`
`event.outcome`	7	`eq` 7	`failure`, `success`
`category`	6	`eq` 5, `ends_with` 1	`SignInLogs`, `UserRiskEvents`, `signinlogs`

Top indicator values (238 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`isOutlier`	`eq`	`1` splunkAWS Unusual Number of Failed Authentications From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip splunkDetect Distributed Password Spray Attempts splunkDetect Password Spray Attempts splunkGCP Unusual Number of Failed Authentications From Ip splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials splunkWindows Unusual Count Of Users Failed To Auth Using Kerberos splunkWindows Unusual Count Of Users Failed To Authenticate From Process splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host	14	28
`TargetUserName`	`ne`	`*$` splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Multiple Users Failed To Authenticate Using Kerberos splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Failed To Auth Using Kerberos splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM	10	14
`event.category`	`eq`	`authentication` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticEntra ID User Sign-in with Unusual Authentication Type elasticM365 Identity User Account Lockouts elasticM365 Identity User Brute Force Attempted elasticMultiple Logon Failure from the same Source Address elasticPotential Password Spraying Attack via SSH elasticPrivileged Accounts Brute Force	9	31
`unique_accounts`	`gt`	`30` splunkAWS Multiple Users Failing To Authenticate From Ip splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Fail To Authenticate Wth ExplicitCredentials splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Multiple Users Failed To Authenticate From Process splunkWindows Multiple Users Failed To Authenticate Using Kerberos splunkWindows Multiple Users Remotely Failed To Authenticate From Host	9	9
`event.outcome`	`eq`	`failure` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticPotential External Linux SSH Brute Force Detected elasticPotential Internal Linux SSH Brute Force Detected elasticPotential Password Spraying Attack via SSH elasticPotential Successful SSH Brute Force Attack	7	16
`LogonType`	`eq`	`Network` elasticMultiple Logon Failure Followed by Logon Success elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkWindows Multiple Users Remotely Failed To Authenticate From Host splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host	6	40
`data_stream.dataset`	`eq`	`okta.system` elasticAttempts to Brute Force an Okta User Account elasticMultiple Okta User Auth Events with Same Device Token Hash Behind a Proxy elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	6	48
`data_stream.dataset`	`eq`	`azure.signinlogs` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted elasticEntra ID User Sign-in with Unusual Authentication Type	4	30
`sourcetype`	`eq`	`azure:monitor:aad` splunkAzure Active Directory High Risk Sign-in splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Successful Authentication From Different Ips splunkAzure AD Unusual Number of Failed Authentications From Ip	6	47
`sourcetype`	`eq`	`XmlWinEventLog:Microsoft-Windows-NTLM/Operational` splunkWindows Multiple NTLM Null Domain Authentications splunkWindows Unusual NTLM Authentication Destinations By Source splunkWindows Unusual NTLM Authentication Destinations By User splunkWindows Unusual NTLM Authentication Users By Destination splunkWindows Unusual NTLM Authentication Users By Source	5	5
`EventID`	`eq`	`4625` splunkMultiple Failed Network Logon Attempts from Host (Windows Event Log) splunkWindows Multiple Users Failed To Authenticate From Process splunkWindows Multiple Users Remotely Failed To Authenticate From Host splunkWindows Unusual Count Of Users Failed To Authenticate From Process splunkWindows Unusual Count Of Users Remotely Failed To Auth From Host	5	15
`EventID`	`eq`	`4768` splunkWindows Multiple Disabled Users Failed To Authenticate Wth Kerberos splunkWindows Multiple Invalid Users Fail To Authenticate Using Kerberos splunkWindows Unusual Count Of Disabled Users Failed Auth Using Kerberos splunkWindows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	4	13
`EventID`	`eq`	`4776` splunkWindows Multiple Invalid Users Failed To Authenticate Using NTLM splunkWindows Multiple Users Failed To Authenticate From Host Using NTLM splunkWindows Unusual Count Of Invalid Users Failed To Auth Using NTLM splunkWindows Unusual Count Of Users Failed To Authenticate Using NTLM	4	5
`EventID`	`eq`	`8004` splunkWindows Unusual NTLM Authentication Destinations By Source splunkWindows Unusual NTLM Authentication Destinations By User splunkWindows Unusual NTLM Authentication Users By Destination splunkWindows Unusual NTLM Authentication Users By Source	4	4
`EventType`	`eq`	`user.session.start` elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	4	8
`EventType`	`eq`	`logon-failed` elasticMultiple Logon Failure Followed by Logon Success elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	3	3
`EventType`	`in`	`ssh_login` elasticPotential External Linux SSH Brute Force Detected elasticPotential Internal Linux SSH Brute Force Detected elasticPotential Password Spraying Attack via SSH elasticPotential Successful SSH Brute Force Attack	4	5
`EventType`	`in`	`user_login` elasticPotential External Linux SSH Brute Force Detected elasticPotential Internal Linux SSH Brute Force Detected elasticPotential Password Spraying Attack via SSH elasticPotential Successful SSH Brute Force Attack	4	5
`EventType`	`starts_with`	`user.authentication.` elasticMultiple Okta User Authentication Events with Same Device Token Hash elasticOkta Successful Login After Credential Attack elasticPotential Okta Password Spray (Multi-Source) elasticPotential Okta Password Spray (Single Source)	4	8
`SChannelName`	`eq`	`*` splunkWindows Unusual NTLM Authentication Destinations By Source splunkWindows Unusual NTLM Authentication Destinations By User splunkWindows Unusual NTLM Authentication Users By Destination splunkWindows Unusual NTLM Authentication Users By Source	4	4
`WorkstationName`	`eq`	`*` splunkWindows Unusual NTLM Authentication Destinations By Source splunkWindows Unusual NTLM Authentication Destinations By User splunkWindows Unusual NTLM Authentication Users By Destination splunkWindows Unusual NTLM Authentication Users By Source	4	4
`category`	`eq`	`SignInLogs` splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Successful Authentication From Different Ips splunkAzure AD Unusual Number of Failed Authentications From Ip	4	12
`properties.authenticationDetails{}.succeeded`	`eq`	`false` splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip	4	5
`properties.status.errorCode`	`eq`	`50126` splunkAzure AD High Number Of Failed Authentications From Ip splunkAzure AD Multi-Source Failed Authentications Spike splunkAzure AD Multiple Users Failing To Authenticate From Ip splunkAzure AD Unusual Number of Failed Authentications From Ip	4	5
`Codename`	`eq`	`Password Spraying` kustoAlsid Password Spraying kustoTenable.ad Password Spraying kustoTIE Password Spraying	3	3
`MessageType`	`eq`	`2` kustoAlsid Password Spraying kustoTenable.ad Password Spraying kustoTIE Password Spraying	3	21
`action`	`eq`	`failure` splunkAWS High Number Of Failed Authentications From Ip splunkAWS Multiple Users Failing To Authenticate From Ip splunkAWS Unusual Number of Failed Authentications From Ip	3	4
`aws::eventName`	`eq`	`ConsoleLogin` splunkAWS High Number Of Failed Authentications From Ip splunkAWS Multiple Users Failing To Authenticate From Ip splunkAWS Unusual Number of Failed Authentications From Ip	3	27
`azure_ad::signin_category`	`in`	`NonInteractiveUserSignInLogs` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted	3	3
`azure_ad::signin_category`	`in`	`SignInLogs` elasticEntra ID Excessive Account Lockouts Detected elasticEntra ID Sign-in Brute Force Attempted (Microsoft 365) elasticEntra ID User Sign-in Brute Force Attempted	3	3

Exclusions (75 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`Status`	`in`	`0xc000005e` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc00000dc` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc0000133` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc000015b` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`Status`	`in`	`0xc0000192` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`TO_IP(source.ip)`	`cidr_match`	`127.0.0.0/8` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`TO_IP(source.ip)`	`cidr_match`	`::1` elasticMultiple Logon Failure from the same Source Address elasticPrivileged Accounts Brute Force	2
`azure.identityprotection.properties.risk_state`	`in`	`confirmedSafe` elasticEntra ID Protection - Risk Detection - Sign-in Risk elasticEntra ID Protection - Risk Detection - User Risk	2
`azure.identityprotection.properties.risk_state`	`in`	`dismissed` elasticEntra ID Protection - Risk Detection - Sign-in Risk elasticEntra ID Protection - Risk Detection - User Risk	2
`azure.identityprotection.properties.risk_state`	`in`	`remediated` elasticEntra ID Protection - Risk Detection - Sign-in Risk elasticEntra ID Protection - Risk Detection - User Risk	2
`src`	`in`	`-` splunkDetect Distributed Password Spray Attempts splunkDetect Password Spray Attempts	2
`src`	`in`	`unknown` splunkDetect Distributed Password Spray Attempts splunkDetect Password Spray Attempts	2
`Esql.o365_audit_LogonError`	`in`	`CmsiInterrupt` elasticM365 Identity User Brute Force Attempted	1
`Esql.o365_audit_LogonError`	`in`	`EntitlementGrantsNotFound` elasticM365 Identity User Brute Force Attempted	1
`Esql.o365_audit_LogonError`	`in`	`InvalidReplyTo` elasticM365 Identity User Brute Force Attempted	1

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Brute Force: Password Spraying `T1110.003`

Events covered

Authoring guide

Fields filtered most (119 distinct)

Top indicator values (238 distinct)

Exclusions (75 distinct)

Rules under this technique

Sigma 1 rule

Elastic 26 rules

Splunk 42 rules

Kusto 7 rules

YARA-L 2 rules

Panther 3 rules

Keyboard shortcuts

Search operators

Brute Force: Password Spraying T1110.003

Events covered

Authoring guide

Fields filtered most (119 distinct)

Top indicator values (238 distinct)

Exclusions (75 distinct)

Rules under this technique

Sigma 1 rule

Elastic 26 rules

Splunk 42 rules

Kusto 7 rules

YARA-L 2 rules

Panther 3 rules

Brute Force: Password Spraying `T1110.003`