How can defenders detect LDAP-based brute-force attempts against domain user passwords?

Defenders can monitor the `lastbadpasswordattempt` attribute in domain user properties, which records the timestamp of the last incorrect login. Anomalous patterns in this attribute across multiple users may indicate a password spraying attack. Additionally, enabling logging on the domain controller for LDAP bind failures (error 0x209A or “Invalid credentials”) and correlating with high `badPwdCount` values can help identify ongoing brute-force activity.