Identity detection support for CrowdStrike EDR

Red Canary has now enabled Advanced Threat Detection support for CrowdStrike endpoint logon telemetry for all CrowdStrike EDR customers at no additional charge. This expanded support allows Red Canary to ingest, normalize, and investigate logon telemetry from CrowdStrike Falcon agents. This new visibility gives Red Canary the ability to detect brute forcing and other identity-based threats from the CrowdStrike agents you already have deployed in your environment. 

Endpoint logon telemetry is a welcome addition for Red Canary customers, as it provides an additional layer of security to help protect against identity-based threats. By detecting these types of attacks, organizations can take swift action to mitigate the risk and prevent damage to their systems and data.

In today’s digital landscape, the importance of detecting and protecting against identity-based threats cannot be overstated. By leveraging Red Canary’s advanced threat detection capabilities, CrowdStrike EDR customers can have greater peace of mind knowing that their systems and data are protected against these types of attacks.

Examples of identity threats detected by Red Canary:

• Identity brute force spray hosts
• Identity brute force single host
• Identity public IP local admin logon
• Identity public IP RDP logon
• Identity RDP brute force

Identity brute force spray hosts

When an adversary attempts to gain access to a target system or account by guessing the login credentials of the system or account. This is typically done by trying a large number of different username and password combinations in rapid succession until the correct combination is found. In the context of “spraying” hosts, this means that the adversary is attempting to perform the brute force attack against multiple targets simultaneously, rather than focusing on a single target. This can allow the adversary to more quickly and efficiently discover the correct login credentials for multiple systems or accounts.

Identity brute force single host

When the adversaries focus is on a single target rather than multiple targets. In this type of attack, the adversary attempts to gain access to a specific system or account by trying a large number of different username and password combinations in rapid succession until the correct combination is found.

Identity public IP local admin logon

When an adversary attempts to gain access to a target system or account by using a public IP address and trying to login with local administrator credentials. In this type of attack, the adversary may use tools or techniques to try to identify the public IP address of the target system, and then attempt to connect to that system over the internet using a local administrator account. If the adversary is able to successfully guess or obtain the correct login credentials for a local administrator account, they may be able to gain unauthorized access to the target system and potentially perform malicious actions on that system.

Identity public IP RDP logon

An identity attack using a public IP and Remote Desktop Protocol (RDP) logon refers to a type of cyber attack in which the adversary attempts to gain access to a target system or account by using a public IP address and trying to login with Remote Desktop Protocol (RDP) credentials. In this type of attack, the adversary may use tools or techniques to try to identify the public IP address of the target system, and then attempt to connect to that system over the internet using RDP. If the adversary is able to successfully guess or obtain the correct login credentials for an RDP account, they may be able to gain unauthorized access to the target system and potentially perform malicious actions on that system.

Identity RDP brute force

An identity RDP brute force attack is a type of attack in which the adversary attempts to gain access to a target system or account using Remote Desktop Protocol (RDP) by guessing the login credentials through a brute force attack.