Detect Credential Stuffing in Elastic Security
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1110 Brute Force
- Sub-technique
- T1110.004 Credential Stuffing
- Canonical reference
- https://attack.mitre.org/techniques/T1110/004/
Elastic Detection Query
sequence by source.ip with maxspan=1h
[authentication where
event.category == "authentication" and
event.outcome == "failure" and
winlog.event_data.LogonType in ("3", "10") and
source.ip != null and
source.ip != "127.0.0.1" and
source.ip != "::1"] with runs=15
[authentication where
event.category == "authentication" and
event.outcome == "success" and
winlog.event_data.LogonType in ("3", "10")]Elastic EQL sequence rule detecting credential stuffing via success-after-failure pattern: requires 15+ consecutive remote/network interactive authentication failures (LogonType 3 or 10) from the same source IP followed by a successful logon within 1 hour. The 'with runs=15' clause enforces the failure threshold before the sequence completes. Deploy as an EQL Correlation Rule in Elastic SIEM. Pair with a separate Threshold Rule (event.outcome=failure, group by source.ip, unique_count of user.name >= 5) to enforce the account-diversity signal independently. Data must be ingested via Elastic Agent (System integration) or Winlogbeat targeting Windows Security Event Log.
Data Sources
Required Tables
False Positives & Tuning
- IT automation or software deployment platforms (e.g., Ansible, SCCM) performing bulk authenticated operations against many endpoints from a single orchestration server, generating network logon failures for unreachable hosts before establishing valid sessions
- Legacy batch scripts using shared service accounts on jump hosts that serially authenticate to dozens of target systems, producing high failure volume across multiple target account names from one source IP
- Vulnerability scanners or endpoint compliance tools running authenticated SMB/WMI checks across subnets, triggering clustered logon failures then successes from the scanner IP
Other platforms for T1110.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows SMB Credential Stuffing Simulation (Authorized Lab)
Expected signal: Windows Security Event ID 4625 on the target host for each attempt: LogonType=3 (Network), IpAddress=<attacker workstation IP>, TargetUserName=each test account, SubStatus=0xC000006A (wrong password for valid account) or 0xC0000064 (unknown username). WorkstationName shows the attacker's hostname. Events appear within 1-2 seconds of each attempt.
- Test 2SSH Credential Stuffing with Hydra (Linux — Authorized Lab)
Expected signal: Linux /var/log/auth.log: multiple 'Failed password for <user> from 127.0.0.1 port <X> ssh2' entries across different usernames. If auditd is enabled: type=USER_AUTH msg= entries with res=failed and acct=<username> in /var/log/audit/audit.log. SSH daemon will log each attempt within milliseconds. If fail2ban is active it may ban 127.0.0.1 after its threshold.
- Test 3Azure AD Credential Stuffing via OAuth Password Grant (Authorized Tenant)
Expected signal: Azure AD SigninLogs entries for each attempt: ResultType=50126 (invalid username or password), IPAddress of the test machine, UserPrincipalName of each test account, AppDisplayName='Microsoft Azure PowerShell', ClientAppUsed='Other clients', UserAgent showing PowerShell HTTP client. Entries appear in Entra admin center under Identity > Monitoring > Sign-in logs within 5-10 minutes.
- Test 4RDP Multi-Account Failure Generation (Windows — Lab Only)
Expected signal: Windows Security Event ID 4625 on the target host: LogonType=10 (RemoteInteractive), TargetUserName showing each test account, IpAddress showing the attacker workstation IP. Event ID 4648 (Logon with Explicit Credentials) may appear on the source workstation. If NLA is enabled, failures occur at the network layer and may show as LogonType=3 before the RDP session establishes.
References (8)
- https://attack.mitre.org/techniques/T1110/004/
- https://www.us-cert.gov/ncas/alerts/TA18-086A
- https://owasp.org/www-community/attacks/Credential_stuffing
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md
- https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-how-azure-ad-identity-protection-works/
Unlock Pro Content
Get the full detection package for T1110.004 including response playbook, investigation guide, and atomic red team tests.