9.Internal Password Spraying - from Windows

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

Mitigations:

  • Enable Multi-Factor Authentication (MFA): Protects against unauthorized access.

  • Enforce Least Privilege & Network Segmentation: Restrict access to necessary resources.

  • Use Strong Password Policies & Filters: Prevent weak password usage.

  • Separate Admin & User Accounts: Reduce risk of privilege escalation.

Detection:

Monitor logs for suspicious activity:

  • Event ID 4625: Failed Logon Attempts

  • Event ID 4771: Kerberos Pre-Authentication Failures

External Password Spraying Targets:

  • Microsoft 365, Outlook Web Exchange

  • RDS Portals, Citrix, VMware Horizon

  • VPN Portals (Fortinet, SonicWall, OpenVPN)

  • Custom Web Apps using AD Authentication

Previous8. Internal Password Spraying - from LinuxNext5.Deeper Down the Rabbit Hole

Last updated