This detection rule identifies potential password spraying attacks against disabled domain accounts within a Windows Active Directory environment, specifically targeting multiple disabled accounts using the Kerberos authentication protocol. It analyzes Windows Security Event 4768, which denotes failures in Kerberos authentication, specifically focusing on those where the failure code `0x12` indicates that the credentials have been revoked. The rule triggers when a single endpoint fails to authenticate with 30 unique disabled users within a 5-minute window, suggesting coordinated attempts to access accounts that should be disabled. These scenarios could imply malicious behavior, potentially leading to unauthorized access or escalation of privileges if attackers succeed.