This detection rule identifies potential password spraying attacks targeting a Windows environment via the Kerberos authentication protocol. It specifically looks for instances where a source endpoint attempts to authenticate using multiple invalid domain users, as indicated by Windows Event ID 4768. The failure code 0x6 signifies that the user does not exist in the Kerberos database, which can be a red flag for attackers attempting to enumerate valid accounts for credential harvesting. In normal operational circumstances, multiple failed authentication attempts from a single source using different user accounts are uncommon. Therefore, this behavior may suggest malicious intent, potentially leading to unauthorized access or privilege escalation in an Active Directory setting. Implementing this rule requires ensuring that the necessary Kerberos events are logged and ingested into the monitoring system, particularly from Domain Controllers, in order to facilitate accurate detection.