FalconFriday — Password Spraying with(out) MDI — 0xFF10

Post-Image

FalconFriday — Password Spraying with(out) MDI — 0xFF10

In this FalconFriday, we have two queries that allow you to detect password spraying attacks. We provide one variant for Microsoft Defender for Endpoint (MDE) and one for Microsoft Defender for Identity (MDI). In contrast to the detection that comes built-in with MDI, our MDI rule allows you to tune the sensitivity to your needs.

TL;DR for blue teams: If you don’t have MDI implemented, you can use the MDE variant to detect password spraying using server/endpoint logs. If you do have MDI implemented, you can use this rule to adjust the sensitivity of password spraying detection with MDI. Even if you don’t have MDE and MDI, you can easily adjust this rule to detect password spraying with just the raw SecurityEvents.

TL;DR for red teams: Password spraying can be easily detected by any decent security monitoring solution. If you need to do it anyway, make sure you perform the spray from a burnable host.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-password-spraying-with-out-mdi-0xff10-c9cc260ac04a

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday