TTechniqueActiveDirectory
Password spraying is a credential access technique that tests a small number of commonly used passwords against many accounts simultaneously, staying under the lockout threshold. This lesson explains why the technique works, how the domain password policy shapes attacker decisions, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Password spraying is one of the most reliably productive credential access techniques in AD environments because it exploits a simple reality: in any large organization, some accounts will have weak passwords regardless of the policy.
Understanding password spraying matters because it connects policy enumeration, lockout math, and human password behavior into a single technique. Candidates who can only say 'try common passwords slowly' miss the operational reasoning — the lockout calculation, the target selection, and the business impact of successful sprays.
Password spraying requires a list of valid domain user accounts and knowledge of the domain password policy — specifically the lockout threshold, the lockout reset counter, and the minimum password length. The attacker needs network access to a service that accepts domain authentication (LDAP, SMB, Kerberos, OWA, or similar).
Account enumeration can come from LDAP queries (with any domain user), OSINT-derived username lists, or email harvesting. The password policy must have been enumerated first to calculate a safe spray rate. Spraying without checking the lockout policy is reckless — it risks locking out accounts across the domain.
MITRE · Official MITRE ATT&CK reference for password spraying, including procedure examples and detection guidance
Password spraying works because organizations enforce minimum password requirements, but those minimums are often low enough that common human patterns satisfy them. A policy requiring 8 characters and complexity is met by passwords like 'Summer2024!' or 'Company1!' — patterns that every attacker's wordlist contains. The technique only needs one weak password among hundreds or thousands of accounts to succeed.
By trying one password (or a very small number) at a time across all accounts and waiting for the lockout counter to reset between rounds, the attacker stays under the detection threshold of account lockout policies. The approach inverts brute force: instead of many passwords against one account, it uses few passwords against many accounts.
A successful spray yields valid domain credentials — a username and password pair. The impact depends on what the compromised account can access. A standard user account provides an authenticated foothold for further enumeration, Kerberoasting, BloodHound collection, and lateral movement. A service account or administrative account can provide immediate access to sensitive systems.
In many environments, the first spray hit is the initial foothold that enables the entire attack chain. Even when the compromised account is low-privilege, it often provides the domain authentication needed for every subsequent technique.
Password spraying typically occurs early in an engagement, often as the initial access technique or immediately after obtaining a list of valid usernames. It sits at the beginning of the credential access phase and is frequently the technique that provides the first authenticated domain foothold.
The password policy enumeration step directly precedes it — the attacker calculates the safe spray rate from the lockout settings before attempting a single password. After a successful spray, the attacker pivots to enumeration (BloodHound, group membership, SPN enumeration) and further credential access techniques (Kerberoasting, LSASS extraction).
Password spraying tests a small number of commonly used passwords against many accounts, staying under the lockout threshold. The key is that it inverts brute force — instead of many passwords against one account, it uses one password against many accounts, so no individual account triggers a lockout. Before spraying, I enumerate the domain password policy to calculate the safe spray rate from the lockout threshold and reset counter.
The passwords I choose match the policy requirements while following common human patterns — Season+Year+Symbol, Company+Number — because those are the patterns that real users actually set. A successful spray often provides the initial authenticated foothold that enables every subsequent technique.
The operational discipline is what separates a productive spray from a mass lockout incident: policy knowledge, spray timing, and target selection all matter.
Password spraying is a technique where an attacker tries a small number of commonly used passwords — like 'Summer2024!' — against every employee account in your organization, staying just under the threshold that would trigger account lockouts.
The risk is that in any organization with hundreds or thousands of accounts, some will have predictable passwords that match common patterns, and it only takes one successful login to give the attacker an employee-level foothold. From that foothold, they can access internal systems and escalate further. The most effective defenses are longer minimum password requirements (which eliminate common patterns), multi-factor authentication (which blocks password-only access), and monitoring that detects the distributed pattern of many accounts failing authentication in a narrow window.
Finding: Successful Password Spray Against Domain User Accounts. During the assessment, the operator enumerated the domain password policy (minimum length: 8 characters, complexity enabled, lockout threshold: 5, reset counter: 30 minutes) and performed a controlled password spray using three commonly patterned passwords against 1,247 enabled user accounts. The spray recovered valid credentials for four accounts, including one service account (svc_reports) with local administrator access on two application servers. The spray was conducted within the lockout policy constraints with zero account lockouts.
Severity: High.
Recommendation: Increase minimum password length to 14 characters. Deploy MFA on all authentication endpoints. Implement spray-aware monitoring that detects distributed authentication failures across many accounts.