Detecting Active Directory Password-Spraying with a Honeypot Account

This article describes the password-spraying threat and provides pragmatic detection guidance: create honeypot user accounts, enable/route relevant Windows Security and Kerberos audit events (e.g., 4624, 4625, 4768, 4769, 4771), and monitor those accounts to detect successful or failed logons indicative of password-spraying with minimal false positives.