Organizations should ensure their SIEMs are properly ingesting logs and events from all externally-facing applications, such as VPNs (virtual private networks), cloud applications, single-sign on (SSO) and identity providers (IdP). They should also test their Windows servers and Active Directory.
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users on a domain (from daft hack on GitHub).
Here’s an example from our engineering/security team at Blumira on how to test your password spraying detection for Windows OS/Active Directory, using DomainPasswordSpray:
Note: There is a risk of account lockout associated with running this test, something to keep in mind if you get notified after testing your SIEM. Additionally, Blumira’s detection requires at least
30 users to test this detection against. We recommend pulling a list of around 100 users and then saving as usernames.txt for sake of ease.