Detect Credential Stuffing in IBM QRadar
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1110 Brute Force
- Sub-technique
- T1110.004 Credential Stuffing
- Canonical reference
- https://attack.mitre.org/techniques/T1110/004/
QRadar Detection Query
SELECT
sourceip,
SUM(CASE WHEN QIDNAME(qid) LIKE '%4625%' THEN 1 ELSE 0 END) AS FailureCount,
SUM(CASE WHEN QIDNAME(qid) LIKE '%4624%' THEN 1 ELSE 0 END) AS SuccessCount,
COUNT(DISTINCT username) AS UniqueTargetAccounts,
DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstAttempt,
DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastAttempt,
LOGSOURCENAME(logsourceid) AS LogSource
FROM events
WHERE
LOGSOURCETYPEID IN (12, 192)
AND (QIDNAME(qid) LIKE '%4625%' OR QIDNAME(qid) LIKE '%4624%')
AND LONG(devicecustomnumber1) IN (3, 10)
AND sourceip IS NOT NULL
AND sourceip != '127.0.0.1'
AND sourceip != '::1'
LAST 60 MINUTES
GROUP BY sourceip
HAVING
SUM(CASE WHEN QIDNAME(qid) LIKE '%4625%' THEN 1 ELSE 0 END) >= 15
AND COUNT(DISTINCT username) >= 5
ORDER BY FailureCount DESCAQL query targeting the QRadar events store for Windows Security Event Log sources. LOGSOURCETYPEID 12 covers native Microsoft Windows Security Event Log; 192 covers WinCollect — adjust these IDs to match your deployment via Admin > Log Source Types. LogonType is mapped to devicecustomnumber1 by the DSM parser. Aggregates failed (4625) and successful (4624) network/remote-interactive logons per source IP over a 60-minute rolling window. Fires when a single IP produces 15+ failures against 5+ distinct usernames. A non-zero SuccessCount from the same source IP is a critical stuffing-success indicator requiring immediate escalation.
Data Sources
Required Tables
False Positives & Tuning
- Network monitoring appliances or asset discovery tools (e.g., Nessus, Rapid7) performing authenticated WMI or SMB checks across subnets, producing bulk logon failures before succeeding on reachable hosts
- Kerberos pre-authentication failures from misconfigured service accounts cycling through multiple SPNs against a domain controller, appearing as network logon failures across distinct principal names from the same application server IP
- Helpdesk automation platforms executing batch password resets for groups of locked-out accounts, creating a failure-then-success sequence across many usernames from the same management console IP
Other platforms for T1110.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows SMB Credential Stuffing Simulation (Authorized Lab)
Expected signal: Windows Security Event ID 4625 on the target host for each attempt: LogonType=3 (Network), IpAddress=<attacker workstation IP>, TargetUserName=each test account, SubStatus=0xC000006A (wrong password for valid account) or 0xC0000064 (unknown username). WorkstationName shows the attacker's hostname. Events appear within 1-2 seconds of each attempt.
- Test 2SSH Credential Stuffing with Hydra (Linux — Authorized Lab)
Expected signal: Linux /var/log/auth.log: multiple 'Failed password for <user> from 127.0.0.1 port <X> ssh2' entries across different usernames. If auditd is enabled: type=USER_AUTH msg= entries with res=failed and acct=<username> in /var/log/audit/audit.log. SSH daemon will log each attempt within milliseconds. If fail2ban is active it may ban 127.0.0.1 after its threshold.
- Test 3Azure AD Credential Stuffing via OAuth Password Grant (Authorized Tenant)
Expected signal: Azure AD SigninLogs entries for each attempt: ResultType=50126 (invalid username or password), IPAddress of the test machine, UserPrincipalName of each test account, AppDisplayName='Microsoft Azure PowerShell', ClientAppUsed='Other clients', UserAgent showing PowerShell HTTP client. Entries appear in Entra admin center under Identity > Monitoring > Sign-in logs within 5-10 minutes.
- Test 4RDP Multi-Account Failure Generation (Windows — Lab Only)
Expected signal: Windows Security Event ID 4625 on the target host: LogonType=10 (RemoteInteractive), TargetUserName showing each test account, IpAddress showing the attacker workstation IP. Event ID 4648 (Logon with Explicit Credentials) may appear on the source workstation. If NLA is enabled, failures occur at the network layer and may show as LogonType=3 before the RDP session establishes.
References (8)
- https://attack.mitre.org/techniques/T1110/004/
- https://www.us-cert.gov/ncas/alerts/TA18-086A
- https://owasp.org/www-community/attacks/Credential_stuffing
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicelogonevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md
- https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-how-azure-ad-identity-protection-works/
Unlock Pro Content
Get the full detection package for T1110.004 including response playbook, investigation guide, and atomic red team tests.