T1110.004 Splunk · SPL

Detect Credential Stuffing in Splunk

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.004 Credential Stuffing
Canonical reference
https://attack.mitre.org/techniques/T1110/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR EventCode=4624)
| eval src_ip=coalesce(Source_Network_Address, src_ip, IpAddress)
| eval target_user=coalesce(Target_User_Name, user, TargetUserName)
| eval logon_type_val=coalesce(Logon_Type, logon_type, "0")
| where logon_type_val IN ("3", "10")
| where isnotnull(src_ip) AND src_ip!="" AND src_ip!="-" AND src_ip!="127.0.0.1" AND src_ip!="::1"
| bin _time span=1h
| stats
    sum(eval(if(EventCode=4625, 1, 0))) as FailureCount,
    sum(eval(if(EventCode=4624, 1, 0))) as SuccessCount,
    dc(eval(if(EventCode=4625, target_user, null()))) as UniqueFailedAccounts,
    values(eval(if(EventCode=4625, target_user, null()))) as FailedAccountSample,
    values(eval(if(EventCode=4624, target_user, null()))) as SuccessAccounts
    by _time, src_ip, host
| where FailureCount >= 15 AND UniqueFailedAccounts >= 5
| eval StuffingSuccess=if(SuccessCount > 0, "TRUE", "FALSE")
| eval Severity=if(StuffingSuccess="TRUE", "CRITICAL", "HIGH")
| eval AttackRate=round(FailureCount / 15.0, 1) . " attempts per 15-min block (approx)"
| table _time, src_ip, host, FailureCount, UniqueFailedAccounts, FailedAccountSample, SuccessCount, SuccessAccounts, StuffingSuccess, Severity, AttackRate
| sort - StuffingSuccess FailureCount
high severity high confidence

Detects credential stuffing via Windows Security Event log analysis, binning events into 1-hour windows and computing failure/success counts per source IP. Uses conditional aggregation to separately count EventCode 4625 (failures) and 4624 (successes) within the same stats command, filtering to network (LogonType=3) and remote interactive (LogonType=10) logons. Source IP addresses with 15+ failures across 5+ distinct accounts trigger the alert. StuffingSuccess=TRUE (same source IP achieves at least one successful logon) escalates to CRITICAL. Uses coalesce to accommodate different field naming conventions across Splunk Windows TA versions.

Data Sources

Logon Session: Logon Session CreationWindows Security Event ID 4625Windows Security Event ID 4624

Required Sourcetypes

WinEventLog:Security

False Positives & Tuning

  • Service accounts with stale cached credentials authenticating against many systems simultaneously during a password rotation event
  • Security scanner hosts running authenticated network audits from a single source IP across multiple targets
  • VPN concentrators or Citrix NetScalers proxying multiple users behind a shared egress IP, aggregating individual failures
  • Batch testing by helpdesk staff deliberately testing lockout/unlock flows across multiple test accounts
  • SSO federation services performing health checks or token validation attempts that log as individual account failures
Download portable Sigma rule (.yml)

Other platforms for T1110.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows SMB Credential Stuffing Simulation (Authorized Lab)

    Expected signal: Windows Security Event ID 4625 on the target host for each attempt: LogonType=3 (Network), IpAddress=<attacker workstation IP>, TargetUserName=each test account, SubStatus=0xC000006A (wrong password for valid account) or 0xC0000064 (unknown username). WorkstationName shows the attacker's hostname. Events appear within 1-2 seconds of each attempt.

  2. Test 2SSH Credential Stuffing with Hydra (Linux — Authorized Lab)

    Expected signal: Linux /var/log/auth.log: multiple 'Failed password for <user> from 127.0.0.1 port <X> ssh2' entries across different usernames. If auditd is enabled: type=USER_AUTH msg= entries with res=failed and acct=<username> in /var/log/audit/audit.log. SSH daemon will log each attempt within milliseconds. If fail2ban is active it may ban 127.0.0.1 after its threshold.

  3. Test 3Azure AD Credential Stuffing via OAuth Password Grant (Authorized Tenant)

    Expected signal: Azure AD SigninLogs entries for each attempt: ResultType=50126 (invalid username or password), IPAddress of the test machine, UserPrincipalName of each test account, AppDisplayName='Microsoft Azure PowerShell', ClientAppUsed='Other clients', UserAgent showing PowerShell HTTP client. Entries appear in Entra admin center under Identity > Monitoring > Sign-in logs within 5-10 minutes.

  4. Test 4RDP Multi-Account Failure Generation (Windows — Lab Only)

    Expected signal: Windows Security Event ID 4625 on the target host: LogonType=10 (RemoteInteractive), TargetUserName showing each test account, IpAddress showing the attacker workstation IP. Event ID 4648 (Logon with Explicit Credentials) may appear on the source workstation. If NLA is enabled, failures occur at the network layer and may show as LogonType=3 before the RDP session establishes.

Last updated: 2026-04-17 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1110.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.002Password CrackingT1110.003Password Spraying

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1110.003Password SprayingT1078Valid AccountsT1078.002Domain AccountsT1078.004Cloud AccountsT1589.001CredentialsT1021.001Remote Desktop ProtocolT1021.004SSHT1133External Remote ServicesT1606Forge Web Credentials

Same Tactic: Credential Access

Popular Detections