T1110.004 Google Chronicle · YARA-L

Detect Credential Stuffing in Google Chronicle

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.004 Credential Stuffing
Canonical reference
https://attack.mitre.org/techniques/T1110/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1110_004_credential_stuffing {
  meta:
    author = "Detection Engineering"
    description = "Detects credential stuffing: single source IP generating 15+ blocked authentication events against 5+ distinct target accounts within 1 hour"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110.004"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1110/004/"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $fail.metadata.event_type = "USER_LOGIN"
    $fail.security_result.action = "BLOCK"
    $fail.principal.ip = $src_ip
    not re.regex($src_ip, `^(127\.0\.0\.1|::1|0\.0\.0\.0)$`)
    $fail.target.user.userid != ""
    $fail.target.user.userid = $target_user

  match:
    $src_ip over 1h

  outcome:
    $failure_count = count_distinct($fail.metadata.id)
    $unique_accounts = count_distinct($fail.target.user.userid)
    $account_sample = array_distinct($fail.target.user.userid)
    $target_hosts = array_distinct($fail.target.hostname)

  condition:
    #fail >= 15 and
    $unique_accounts >= 5
}
high severity high confidence

Google Chronicle YARA-L 2.0 detection rule using the UDM USER_LOGIN event type with security_result.action = BLOCK to match authentication failures. Normalizes across Windows Security Events (4625), Azure AD sign-in failures, Okta blocked logins, and LDAP authentication denials — all normalized to USER_LOGIN in Chronicle's UDM ingestion layer. The match section groups events by source IP over a 1-hour sliding window. The condition requires both a raw event count (#fail >= 15) and a computed cardinality check ($unique_accounts >= 5 from the outcome block). Deploy as a Multi-Event rule in Chronicle Detection Engine.

Data Sources

Google Chronicle UDM (Windows Security Events normalized to USER_LOGIN)Azure AD Sign-In Logs (normalized to UDM)Okta System Log (normalized to UDM)LDAP/Active Directory authentication events

Required Tables

USER_LOGIN (UDM event type)

False Positives & Tuning

  • Automated configuration management or CI/CD pipeline agents using a service account pool iterating over many target systems, generating blocked authentication attempts from a shared build server IP before establishing valid sessions on reachable hosts
  • Authorized penetration testing or red team exercises targeting the organization's own infrastructure — produces the exact pattern this rule detects and must be excluded by source IP allowlist during authorized assessment windows
  • Legacy ERP or mainframe systems performing nightly batch account validation jobs from a single application server IP, cycling through inactive or expired accounts before locating valid credentials for the batch run
Download portable Sigma rule (.yml)

Other platforms for T1110.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows SMB Credential Stuffing Simulation (Authorized Lab)

    Expected signal: Windows Security Event ID 4625 on the target host for each attempt: LogonType=3 (Network), IpAddress=<attacker workstation IP>, TargetUserName=each test account, SubStatus=0xC000006A (wrong password for valid account) or 0xC0000064 (unknown username). WorkstationName shows the attacker's hostname. Events appear within 1-2 seconds of each attempt.

  2. Test 2SSH Credential Stuffing with Hydra (Linux — Authorized Lab)

    Expected signal: Linux /var/log/auth.log: multiple 'Failed password for <user> from 127.0.0.1 port <X> ssh2' entries across different usernames. If auditd is enabled: type=USER_AUTH msg= entries with res=failed and acct=<username> in /var/log/audit/audit.log. SSH daemon will log each attempt within milliseconds. If fail2ban is active it may ban 127.0.0.1 after its threshold.

  3. Test 3Azure AD Credential Stuffing via OAuth Password Grant (Authorized Tenant)

    Expected signal: Azure AD SigninLogs entries for each attempt: ResultType=50126 (invalid username or password), IPAddress of the test machine, UserPrincipalName of each test account, AppDisplayName='Microsoft Azure PowerShell', ClientAppUsed='Other clients', UserAgent showing PowerShell HTTP client. Entries appear in Entra admin center under Identity > Monitoring > Sign-in logs within 5-10 minutes.

  4. Test 4RDP Multi-Account Failure Generation (Windows — Lab Only)

    Expected signal: Windows Security Event ID 4625 on the target host: LogonType=10 (RemoteInteractive), TargetUserName showing each test account, IpAddress showing the attacker workstation IP. Event ID 4648 (Logon with Explicit Credentials) may appear on the source workstation. If NLA is enabled, failures occur at the network layer and may show as LogonType=3 before the RDP session establishes.

Last updated: 2026-04-17 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1110.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.002Password CrackingT1110.003Password Spraying

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1110.003Password SprayingT1078Valid AccountsT1078.002Domain AccountsT1078.004Cloud AccountsT1589.001CredentialsT1021.001Remote Desktop ProtocolT1021.004SSHT1133External Remote ServicesT1606Forge Web Credentials

Same Tactic: Credential Access

Popular Detections