T1110.004 Sumo Logic CSE · Sumo

Detect Credential Stuffing in Sumo Logic CSE

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1110 Brute Force
Sub-technique
T1110.004 Credential Stuffing
Canonical reference
https://attack.mitre.org/techniques/T1110/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=windows/security OR _sourceCategory=WinEventLog/Security)
(EventCode=4625 OR EventCode=4624)
| parse regex field=_raw "Logon Type:\s+(?<logon_type>\d+)" nodrop
| parse regex field=_raw "Source Network Address:\s+(?<src_ip>[\d\.]{7,15}|[a-fA-F0-9:]{3,39})" nodrop
| parse regex field=_raw "Account Name:\s+(?<target_user>[^\r\n\t]+)" multi nodrop
| where logon_type in ("3", "10")
| where !isNull(src_ip) AND src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND src_ip != ""
| timeslice 1h
| stats
    sum(if(EventCode="4625", 1, 0)) as FailureCount,
    sum(if(EventCode="4624", 1, 0)) as SuccessCount,
    dcount(if(EventCode="4625", target_user, null)) as UniqueFailedAccounts,
    values(if(EventCode="4625", target_user, null)) as FailedAccountSample,
    values(if(EventCode="4624", target_user, null)) as SuccessAccounts
    by _timeslice, src_ip
| where FailureCount >= 15 AND UniqueFailedAccounts >= 5
| if (SuccessCount > 0, "CRITICAL", "HIGH") as Severity
| tostring(SuccessCount > 0) as StuffingSuccess
| fields _timeslice, src_ip, FailureCount, SuccessCount, UniqueFailedAccounts, FailedAccountSample, SuccessAccounts, StuffingSuccess, Severity
| sort by SuccessCount desc, FailureCount desc
high severity high confidence

Sumo Logic search query against Windows Security Event Log data collected via Installed Collector or Hosted Collector. Uses multi-pass regex parsing to extract LogonType, source IP, and target account from raw event text (handles both legacy and XML-formatted event logs). Aggregates per source IP per 1-hour timeslice. Requires 15+ remote/network logon failures against 5+ distinct accounts before firing. Elevates to CRITICAL when at least one successful logon is observed from the same IP in the same window, indicating a confirmed credential stuffing hit.

Data Sources

Windows Security Event Log (Sumo Logic Installed Collector — Windows Event Log source)Sumo Logic Cloud SIEM (CSE) — normalized authentication records

Required Tables

_sourceCategory=windows/security_sourceCategory=WinEventLog/Security

False Positives & Tuning

  • Enterprise patch management or software deployment agents (e.g., SCCM, Intune) authenticating to hundreds of endpoints sequentially from a single orchestration server IP, generating bursts of network logon failures for offline or misconfigured targets
  • Active Directory health monitoring tools that enumerate accounts across OUs and test authentication state, triggering per-account logon failures from the monitoring server IP against many principal names in quick succession
  • VPN concentrators or reverse proxies performing source NAT that funnel all remote user authentication attempts through a single external IP, making legitimate high-volume failures from many distinct users appear to originate from one source
Download portable Sigma rule (.yml)

Other platforms for T1110.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows SMB Credential Stuffing Simulation (Authorized Lab)

    Expected signal: Windows Security Event ID 4625 on the target host for each attempt: LogonType=3 (Network), IpAddress=<attacker workstation IP>, TargetUserName=each test account, SubStatus=0xC000006A (wrong password for valid account) or 0xC0000064 (unknown username). WorkstationName shows the attacker's hostname. Events appear within 1-2 seconds of each attempt.

  2. Test 2SSH Credential Stuffing with Hydra (Linux — Authorized Lab)

    Expected signal: Linux /var/log/auth.log: multiple 'Failed password for <user> from 127.0.0.1 port <X> ssh2' entries across different usernames. If auditd is enabled: type=USER_AUTH msg= entries with res=failed and acct=<username> in /var/log/audit/audit.log. SSH daemon will log each attempt within milliseconds. If fail2ban is active it may ban 127.0.0.1 after its threshold.

  3. Test 3Azure AD Credential Stuffing via OAuth Password Grant (Authorized Tenant)

    Expected signal: Azure AD SigninLogs entries for each attempt: ResultType=50126 (invalid username or password), IPAddress of the test machine, UserPrincipalName of each test account, AppDisplayName='Microsoft Azure PowerShell', ClientAppUsed='Other clients', UserAgent showing PowerShell HTTP client. Entries appear in Entra admin center under Identity > Monitoring > Sign-in logs within 5-10 minutes.

  4. Test 4RDP Multi-Account Failure Generation (Windows — Lab Only)

    Expected signal: Windows Security Event ID 4625 on the target host: LogonType=10 (RemoteInteractive), TargetUserName showing each test account, IpAddress showing the attacker workstation IP. Event ID 4648 (Logon with Explicit Credentials) may appear on the source workstation. If NLA is enabled, failures occur at the network layer and may show as LogonType=3 before the RDP session establishes.

Last updated: 2026-04-17 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1110.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110Brute Force

Related Sub-techniques

T1110.001Password GuessingT1110.002Password CrackingT1110.003Password Spraying

Related Techniques

T1110Brute ForceT1110.001Password GuessingT1110.003Password SprayingT1078Valid AccountsT1078.002Domain AccountsT1078.004Cloud AccountsT1589.001CredentialsT1021.001Remote Desktop ProtocolT1021.004SSHT1133External Remote ServicesT1606Forge Web Credentials

Same Tactic: Credential Access

Popular Detections