T1110.004 Credential Stuffing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackWindow = 1h;
let FailureThreshold = 15;
let AccountThreshold = 5;
// Windows Security Event failed network/remote-interactive logons
let WindowsStuffing = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4625
| where LogonType in (3, 10)
| where isnotempty(IpAddress) and IpAddress != "-" and IpAddress != "127.0.0.1" and IpAddress != "::1"
| summarize
    FailureCount = count(),
    UniqueTargetAccounts = dcount(TargetUserName),
    AccountSample = make_set(TargetUserName, 10),
    TargetHosts = make_set(Computer, 5),
    SubStatusCodes = make_set(SubStatus, 5),
    FirstAttempt = min(TimeGenerated),
    LastAttempt = max(TimeGenerated)
    by SourceIP = IpAddress, WorkstationName
| where FailureCount >= FailureThreshold and UniqueTargetAccounts >= AccountThreshold;
// Azure AD sign-in failures (cloud credential stuffing)
let AzureStuffing = SigninLogs
| where TimeGenerated > ago(LookbackWindow)
| where ResultType in ("50126", "50053", "50055", "50056", "50057", "50034", "70008", "81016")
| where isnotempty(IPAddress)
| summarize
    FailureCount = count(),
    UniqueTargetAccounts = dcount(UserPrincipalName),
    AccountSample = make_set(UserPrincipalName, 10),
    AppSample = make_set(AppDisplayName, 5),
    UserAgents = make_set(UserAgent, 5),
    FirstAttempt = min(TimeGenerated),
    LastAttempt = max(TimeGenerated)
    by SourceIP = IPAddress
| where FailureCount >= FailureThreshold and UniqueTargetAccounts >= AccountThreshold;
// Successful logon from same source IP — critical indicator that a stuffed pair succeeded
let SuccessAfterFailure = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4624
| where LogonType in (3, 10)
| where isnotempty(IpAddress) and IpAddress != "-"
| summarize
    SuccessCount = count(),
    SuccessAccounts = make_set(TargetUserName, 10)
    by SuccessSourceIP = IpAddress;
union
  (WindowsStuffing
   | join kind=leftouter SuccessAfterFailure on $left.SourceIP == $right.SuccessSourceIP
   | extend
       DataSource = "Windows Security Events",
       StuffingSuccess = isnotempty(SuccessCount),
       Severity = iff(isnotempty(SuccessCount), "Critical", "High")
   | project
       TimeGenerated = LastAttempt, SourceIP, DataSource, FailureCount,
       UniqueTargetAccounts, AccountSample, TargetHosts, SubStatusCodes,
       FirstAttempt, LastAttempt, StuffingSuccess, SuccessAccounts, Severity),
  (AzureStuffing
   | extend
       DataSource = "Azure AD SigninLogs",
       StuffingSuccess = false,
       Severity = "High",
       TargetHosts = dynamic([]),
       SubStatusCodes = dynamic([]),
       SuccessAccounts = dynamic([])
   | project
       TimeGenerated = LastAttempt, SourceIP, DataSource, FailureCount,
       UniqueTargetAccounts, AccountSample, TargetHosts, SubStatusCodes,
       FirstAttempt, LastAttempt, StuffingSuccess, SuccessAccounts, Severity)
| sort by StuffingSuccess desc, FailureCount desc

high severity high confidence

Data Sources

Logon Session: Logon Session Creation Logon Session: Logon Session Metadata Application Log: Application Log Content Windows Security Event ID 4625 Windows Security Event ID 4624 Azure AD SigninLogs

Required Tables

SecurityEvent SigninLogs

False Positives

Misconfigured service accounts with expired or incorrect credentials repeatedly attempting authentication against multiple systems simultaneously — will appear as high-volume failures from a single host IP
Azure AD Connect or third-party directory sync tools (Okta, OneLogin) generating batched authentication failures during sync interruptions or object mismatches
Authenticated security scanners (Nessus, Qualys, Rapid7) running credential-based assessments from a dedicated scan IP against multiple systems
Load balancers, NAT gateways, or reverse proxies that masquerade multiple users behind a single egress IP, making unrelated individual user failures aggregate as a single-IP attack
Helpdesk or IT staff testing account lockout/reset workflows by deliberately triggering failures across multiple test accounts from their workstation

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR EventCode=4624)
| eval src_ip=coalesce(Source_Network_Address, src_ip, IpAddress)
| eval target_user=coalesce(Target_User_Name, user, TargetUserName)
| eval logon_type_val=coalesce(Logon_Type, logon_type, "0")
| where logon_type_val IN ("3", "10")
| where isnotnull(src_ip) AND src_ip!="" AND src_ip!="-" AND src_ip!="127.0.0.1" AND src_ip!="::1"
| bin _time span=1h
| stats
    sum(eval(if(EventCode=4625, 1, 0))) as FailureCount,
    sum(eval(if(EventCode=4624, 1, 0))) as SuccessCount,
    dc(eval(if(EventCode=4625, target_user, null()))) as UniqueFailedAccounts,
    values(eval(if(EventCode=4625, target_user, null()))) as FailedAccountSample,
    values(eval(if(EventCode=4624, target_user, null()))) as SuccessAccounts
    by _time, src_ip, host
| where FailureCount >= 15 AND UniqueFailedAccounts >= 5
| eval StuffingSuccess=if(SuccessCount > 0, "TRUE", "FALSE")
| eval Severity=if(StuffingSuccess="TRUE", "CRITICAL", "HIGH")
| eval AttackRate=round(FailureCount / 15.0, 1) . " attempts per 15-min block (approx)"
| table _time, src_ip, host, FailureCount, UniqueFailedAccounts, FailedAccountSample, SuccessCount, SuccessAccounts, StuffingSuccess, Severity, AttackRate
| sort - StuffingSuccess FailureCount

high severity high confidence

Data Sources

Logon Session: Logon Session Creation Windows Security Event ID 4625 Windows Security Event ID 4624

Required Sourcetypes

WinEventLog:Security

False Positives

Service accounts with stale cached credentials authenticating against many systems simultaneously during a password rotation event
Security scanner hosts running authenticated network audits from a single source IP across multiple targets
VPN concentrators or Citrix NetScalers proxying multiple users behind a shared egress IP, aggregating individual failures
Batch testing by helpdesk staff deliberately testing lockout/unlock flows across multiple test accounts
SSO federation services performing health checks or token validation attempts that log as individual account failures

Elastic Security (EQL)

eql

sequence by source.ip with maxspan=1h
  [authentication where
    event.category == "authentication" and
    event.outcome == "failure" and
    winlog.event_data.LogonType in ("3", "10") and
    source.ip != null and
    source.ip != "127.0.0.1" and
    source.ip != "::1"] with runs=15
  [authentication where
    event.category == "authentication" and
    event.outcome == "success" and
    winlog.event_data.LogonType in ("3", "10")]

critical severity high confidence

Data Sources

Windows Security Event Log (via Elastic Agent System integration or Winlogbeat)

Required Tables

logs-system.security-* .ds-logs-system.security-* winlogbeat-*

False Positives

IT automation or software deployment platforms (e.g., Ansible, SCCM) performing bulk authenticated operations against many endpoints from a single orchestration server, generating network logon failures for unreachable hosts before establishing valid sessions
Legacy batch scripts using shared service accounts on jump hosts that serially authenticate to dozens of target systems, producing high failure volume across multiple target account names from one source IP
Vulnerability scanners or endpoint compliance tools running authenticated SMB/WMI checks across subnets, triggering clustered logon failures then successes from the scanner IP

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  SUM(CASE WHEN QIDNAME(qid) LIKE '%4625%' THEN 1 ELSE 0 END) AS FailureCount,
  SUM(CASE WHEN QIDNAME(qid) LIKE '%4624%' THEN 1 ELSE 0 END) AS SuccessCount,
  COUNT(DISTINCT username) AS UniqueTargetAccounts,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstAttempt,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastAttempt,
  LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 192)
  AND (QIDNAME(qid) LIKE '%4625%' OR QIDNAME(qid) LIKE '%4624%')
  AND LONG(devicecustomnumber1) IN (3, 10)
  AND sourceip IS NOT NULL
  AND sourceip != '127.0.0.1'
  AND sourceip != '::1'
  LAST 60 MINUTES
GROUP BY sourceip
HAVING
  SUM(CASE WHEN QIDNAME(qid) LIKE '%4625%' THEN 1 ELSE 0 END) >= 15
  AND COUNT(DISTINCT username) >= 5
ORDER BY FailureCount DESC

high severity high confidence

Data Sources

IBM QRadar SIEM (events store) Windows Security Event Log via QRadar WinCollect Agent or Microsoft Windows DSM

Required Tables

events

False Positives

Network monitoring appliances or asset discovery tools (e.g., Nessus, Rapid7) performing authenticated WMI or SMB checks across subnets, producing bulk logon failures before succeeding on reachable hosts
Kerberos pre-authentication failures from misconfigured service accounts cycling through multiple SPNs against a domain controller, appearing as network logon failures across distinct principal names from the same application server IP
Helpdesk automation platforms executing batch password resets for groups of locked-out accounts, creating a failure-then-success sequence across many usernames from the same management console IP

Sumo Logic CSE

sql

(_sourceCategory=windows/security OR _sourceCategory=WinEventLog/Security)
(EventCode=4625 OR EventCode=4624)
| parse regex field=_raw "Logon Type:\s+(?<logon_type>\d+)" nodrop
| parse regex field=_raw "Source Network Address:\s+(?<src_ip>[\d\.]{7,15}|[a-fA-F0-9:]{3,39})" nodrop
| parse regex field=_raw "Account Name:\s+(?<target_user>[^\r\n\t]+)" multi nodrop
| where logon_type in ("3", "10")
| where !isNull(src_ip) AND src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND src_ip != ""
| timeslice 1h
| stats
    sum(if(EventCode="4625", 1, 0)) as FailureCount,
    sum(if(EventCode="4624", 1, 0)) as SuccessCount,
    dcount(if(EventCode="4625", target_user, null)) as UniqueFailedAccounts,
    values(if(EventCode="4625", target_user, null)) as FailedAccountSample,
    values(if(EventCode="4624", target_user, null)) as SuccessAccounts
    by _timeslice, src_ip
| where FailureCount >= 15 AND UniqueFailedAccounts >= 5
| if (SuccessCount > 0, "CRITICAL", "HIGH") as Severity
| tostring(SuccessCount > 0) as StuffingSuccess
| fields _timeslice, src_ip, FailureCount, SuccessCount, UniqueFailedAccounts, FailedAccountSample, SuccessAccounts, StuffingSuccess, Severity
| sort by SuccessCount desc, FailureCount desc

high severity high confidence

Data Sources

Windows Security Event Log (Sumo Logic Installed Collector — Windows Event Log source) Sumo Logic Cloud SIEM (CSE) — normalized authentication records

Required Tables

_sourceCategory=windows/security _sourceCategory=WinEventLog/Security

False Positives

Enterprise patch management or software deployment agents (e.g., SCCM, Intune) authenticating to hundreds of endpoints sequentially from a single orchestration server IP, generating bursts of network logon failures for offline or misconfigured targets
Active Directory health monitoring tools that enumerate accounts across OUs and test authentication state, triggering per-account logon failures from the monitoring server IP against many principal names in quick succession
VPN concentrators or reverse proxies performing source NAT that funnel all remote user authentication attempts through a single external IP, making legitimate high-volume failures from many distinct users appear to originate from one source

Google Chronicle / SecOps

yaral

rule t1110_004_credential_stuffing {
  meta:
    author = "Detection Engineering"
    description = "Detects credential stuffing: single source IP generating 15+ blocked authentication events against 5+ distinct target accounts within 1 hour"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110.004"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1110/004/"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.security_result.action = "BLOCK"
    $fail.principal.ip = $src_ip
    not re.regex($src_ip, `^(127\.0\.0\.1|::1|0\.0\.0\.0)$`)
    $fail.target.user.userid != ""
    $fail.target.user.userid = $target_user

  match:
    $src_ip over 1h

  outcome:
    $failure_count = count_distinct($fail.metadata.id)
    $unique_accounts = count_distinct($fail.target.user.userid)
    $account_sample = array_distinct($fail.target.user.userid)
    $target_hosts = array_distinct($fail.target.hostname)

  condition:
    #fail >= 15 and
    $unique_accounts >= 5
}

high severity high confidence

Data Sources

Google Chronicle UDM (Windows Security Events normalized to USER_LOGIN) Azure AD Sign-In Logs (normalized to UDM) Okta System Log (normalized to UDM) LDAP/Active Directory authentication events

Required Tables

USER_LOGIN (UDM event type)

False Positives

Automated configuration management or CI/CD pipeline agents using a service account pool iterating over many target systems, generating blocked authentication attempts from a shared build server IP before establishing valid sessions on reachable hosts
Authorized penetration testing or red team exercises targeting the organization's own infrastructure — produces the exact pattern this rule detects and must be excluded by source IP allowlist during authorized assessment windows
Legacy ERP or mainframe systems performing nightly batch account validation jobs from a single application server IP, cycling through inactive or expired accounts before locating valid credentials for the batch run

CrowdStrike LogScale (CQL)

cql

// Windows Security Event Log ingested via Falcon LogScale connector or Humio shipper
#repo=base (EventCode=4625 OR EventCode=4624)
| LogonType in ["3", "10"]
| SourceNetworkAddress != "127.0.0.1"
| SourceNetworkAddress != "::1"
| SourceNetworkAddress != "-"
| SourceNetworkAddress != null
| groupBy(
    [SourceNetworkAddress, bucket(field=@timestamp, span=1h)],
    function=[
      sum(if(EventCode=="4625", 1, 0), as=FailureCount),
      sum(if(EventCode=="4624", 1, 0), as=SuccessCount),
      count(distinct=TargetUserName, as=UniqueAccounts),
      collect(TargetUserName, limit=10, as=AccountSample),
      collect(WorkstationName, limit=5, as=TargetHosts)
    ]
  )
| FailureCount >= 15
| UniqueAccounts >= 5
| StuffingSuccess := SuccessCount > 0
| Severity := if(SuccessCount > 0, "CRITICAL", "HIGH")
| sort(FailureCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike LogScale (Windows Security Event Log via Humio shipper or Falcon LogScale connector) Falcon Data Replicator (FDR) authentication telemetry Windows Event Log forwarding via WEC to LogScale HTTP ingestion API

Required Tables

#repo=base (Windows Security Event Log stream)

False Positives

Internal IT asset management or RMM tools (e.g., ConnectWise, NinjaRMM) iterating over all domain-joined endpoints using a shared service account, triggering bulk network logon failures against offline systems before succeeding on reachable ones
Privileged Access Workstation (PAW) or jump server IPs used by large IT teams for concurrent RDP sessions to many servers, where multiple analysts authenticate to different accounts from the same source NAT IP within the same hour
SOC tooling performing credential validation checks or incident response triage across multiple accounts from a single analyst workstation — SOAR playbooks in particular can generate the exact failure-then-success pattern from one IP

Credential Stuffing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections