What detection methods can defenders use to identify password brute-force attacks on domain users?

Query the user attributes `badPwdCount` (number of bad password attempts) and `lastbadpasswordattempt` (time of last failed login). On a domain controller, use PowerShell: `Get-ADUser -Filter * -Properties * | select name,lastbadpasswordattempt,badpwdcount`. On a domain-joined host, use PowerView's `Get-NetUser | select name,badpasswordtime,badpwdcount` or a custom C++ tool using the NetUserGetInfo API. For more detection approaches, see the detection section in Penetration Basics - Obtaining Domain User Password Policies and Penetration Basics - Bypassing SSH Logs for log evasion techniques.