T1586

Compromise Accounts

This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.

Microsoft Sentinel / Defender

kusto

let timeWindow = 24h;
let failThreshold = 5;
let travelWindowMinutes = 60;
// --- Signal 1: Credential stuffing — many failures then success from multiple IPs ---
let CredentialStuffing = AADSignInLogs
| where TimeGenerated > ago(timeWindow)
| where ResultType != "50053" and ResultType != "50076" // exclude locked-out and MFA-required noise
| summarize
    FailureCount = countif(ResultType != "0"),
    SuccessCount = countif(ResultType == "0"),
    UniqueIPs = dcount(IPAddress),
    IPList = make_set(IPAddress, 10),
    Apps = make_set(AppDisplayName, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by UserPrincipalName
| where FailureCount >= failThreshold and SuccessCount >= 1
| extend DetectionType = "CredentialStuffing",
    RiskScore = iff(UniqueIPs > 5, 90, iff(UniqueIPs > 2, 75, 60));
// --- Signal 2: Impossible travel — successful logins from 2+ countries within 60 minutes ---
let ImpossibleTravel = AADSignInLogs
| where TimeGenerated > ago(timeWindow)
| where ResultType == "0"
| where isnotempty(Location)
| extend Country = tostring(LocationDetails.countryOrRegion)
| where isnotempty(Country)
| summarize
    Countries = make_set(Country, 20),
    IPList = make_set(IPAddress, 10),
    Apps = make_set(AppDisplayName, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SuccessCount = count()
    by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(Countries) > 1
| extend DetectionType = "ImpossibleTravel", RiskScore = 85,
    FailureCount = 0, UniqueIPs = array_length(IPList);
// --- Signal 3: Successful login from Tor exit node or known bulletproof hosting ASN ---
let SuspiciousASN = AADSignInLogs
| where TimeGenerated > ago(timeWindow)
| where ResultType == "0"
| extend ASN = tostring(todynamic(NetworkLocationDetails)[0].networkNames)
| where ASN has_any ("M247", "Frantech", "Sharktech", "Psychz", "Quasi Networks",
    "FranTech", "Alexhost", "ITL-Bulgaria", "Serverius", "Combahton")
    or IPAddress matches regex @"^185\.(220|129|220)\."
| summarize
    IPList = make_set(IPAddress, 10),
    Apps = make_set(AppDisplayName, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SuccessCount = count(),
    Countries = make_set(tostring(LocationDetails.countryOrRegion), 5)
    by UserPrincipalName
| extend DetectionType = "SuspiciousHostingASN", RiskScore = 80,
    FailureCount = 0, UniqueIPs = array_length(IPList);
// --- Union all signals ---
CredentialStuffing
| union ImpossibleTravel
| union SuspiciousASN
| project
    TimeGenerated = LastSeen,
    UserPrincipalName,
    DetectionType,
    RiskScore,
    FailureCount,
    SuccessCount,
    UniqueIPs,
    IPList,
    Apps,
    Countries,
    FirstSeen,
    LastSeen
| sort by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID

Required Tables

AADSignInLogs

False Positives

Legitimate corporate VPN services routing authentication through shared exit nodes may match ASN-based detection; allowlist known corporate egress IP ranges
Traveling employees authenticating from multiple countries within a short window (e.g. connecting through an airline hub) will trigger impossible travel; cross-reference with HR travel records and conditional access named locations
Shared service accounts used by automation platforms (CI/CD, monitoring) may generate high failure counts if misconfigured credentials are in rotation before being corrected; baseline service account authentication patterns
Password reset self-service workflows may generate multiple ResultType failures before a successful reset, mimicking credential stuffing; filter on UserType and correlate with SSPR audit events in AuditLogs

Splunk

spl

index=* (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
    EventCode IN (4624, 4625, 4648, 4776)
| eval AuthResult=case(
    EventCode=="4624", "Success",
    EventCode=="4625", "Failure",
    EventCode=="4648", "ExplicitCred",
    EventCode=="4776", "KerberosValidation",
    true(), "Unknown"
  )
| eval TargetUser=coalesce('TargetUserName', 'Account_Name')
| where TargetUser!="-" AND TargetUser!="" AND NOT match(TargetUser, "^\$$")
| eval IpAddress=coalesce('IpAddress', 'Source_Network_Address')
| eval IpAddress=if(IpAddress=="-" OR IpAddress="127.0.0.1" OR IpAddress="::1", null(), IpAddress)
| stats
    count(eval(AuthResult=="Failure")) AS FailureCount,
    count(eval(AuthResult=="Success" OR AuthResult=="ExplicitCred")) AS SuccessCount,
    dc(IpAddress) AS UniqueIPs,
    values(IpAddress) AS IPList,
    values(WorkstationName) AS WorkstationList,
    min(_time) AS FirstSeen,
    max(_time) AS LastSeen
    by TargetUser, TargetDomainName
| where FailureCount >= 5 AND SuccessCount >= 1
| eval WindowMinutes=round((LastSeen - FirstSeen) / 60, 1)
| eval RiskScore=case(
    UniqueIPs > 10, 95,
    UniqueIPs > 5, 85,
    UniqueIPs > 2, 70,
    true(), 55
  )
| eval DetectionType="CredentialStuffingThenSuccess"
| table TargetUser, TargetDomainName, FailureCount, SuccessCount, UniqueIPs,
    IPList, WorkstationList, WindowMinutes, RiskScore, DetectionType, FirstSeen, LastSeen
| sort - RiskScore

high severity medium confidence

Data Sources

Windows Security Event Logs Active Directory

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Security

False Positives

Service accounts with stale cached credentials during password rotation will generate failure spikes followed by a successful login once credentials are updated; maintain a service account allowlist and correlate with change management windows
Kerberos pre-authentication failures (EventCode 4771) for accounts with clock skew or misconfigured SPNs may appear before a successful 4624; verify Kerberos failure sub-status codes and correlate with DC time sync logs
Domain controller replication events and inter-domain trust authentication can produce 4776 failures from machine accounts before succeeding; filter TargetUserName ending in '$' to exclude machine accounts

Elastic Security (EQL)

eql

/* Signal 1: Credential Stuffing — 5+ failures then success within 24h */
sequence by user.name with maxspan=24h
  [authentication where event.outcome == "failure"
    and not (event.provider : "azure_ad"
      and error.code : ("50053", "50076"))]
  with runs=5
  [authentication where event.outcome == "success"]

/* Signal 2: Successful login from bulletproof / anonymisation ASN — deploy as a separate detection rule:
authentication where event.outcome == "success"
  and source.as.organization.name : (
    "M247*", "Frantech*", "Sharktech*", "Psychz*",
    "Quasi Networks*", "Alexhost*", "Serverius*", "Combahton*",
    "FranTech*", "ITL-Bulgaria*"
  )
  and user.name != null
  and user.domain != null
*/

/* Signal 3: Impossible travel — two successful logins from different countries
   within 60 min cannot be expressed in EQL (no multi-event aggregation).
   Implement as an ES|QL query:
   FROM logs-azure.signinlogs-*
   | WHERE event.outcome == "success"
     AND source.geo.country_iso_code IS NOT NULL
   | STATS countries = COUNT_DISTINCT(source.geo.country_iso_code),
           ip_list = VALUES(source.ip)
     BY user.name, BUCKET(@timestamp, 1 hour)
   | WHERE countries > 1
*/

high severity high confidence

Data Sources

Microsoft Azure AD Sign-in Logs (azure.signinlogs) Microsoft Entra ID (entra.signinlogs) Windows Security Event Log via Winlogbeat or Elastic Agent Okta System Log via Elastic integration

Required Tables

logs-azure.signinlogs-* logs-azure.auditlogs-* winlogbeat-* .ds-logs-system.auth-* logs-okta.system-*

False Positives

Authorised red-team or penetration-testing exercises deliberately generating credential stuffing patterns against internal accounts — confirm against a known-testing calendar before escalating
Corporate VPN or cloud proxy services whose exit nodes are hosted on ASNs flagged as bulletproof hosting (M247 carries significant legitimate SaaS traffic); validate by correlating the device identity and enriching the IP against threat-intel feeds rather than relying solely on ASN name
Users who forget their password on a Monday morning and attempt several times before successfully using a self-service reset link, producing the failure-then-success pattern from a single residential IP
Service accounts with scheduled tasks carrying a stale password that retry authentication until the credential rotation cycle completes and the new secret is injected
Password-change flows in Azure AD that briefly invalidate the session token and trigger a transient 401/failure before the new credential is accepted

IBM QRadar (AQL)

sql

SELECT
  username,
  domainid,
  FailureCount,
  SuccessCount,
  UniqueSourceIPs,
  FirstSeen,
  LastSeen,
  CASE
    WHEN UniqueSourceIPs > 10 THEN 95
    WHEN UniqueSourceIPs > 5  THEN 85
    WHEN UniqueSourceIPs > 2  THEN 70
    ELSE 55
  END AS RiskScore,
  'CredentialStuffingThenSuccess' AS DetectionType
FROM (
  SELECT
    username,
    domainid,
    SUM(CASE WHEN category = 5002 THEN 1 ELSE 0 END)  AS FailureCount,
    SUM(CASE WHEN category = 5000 THEN 1 ELSE 0 END)  AS SuccessCount,
    UNIQUECOUNT(sourceip)                             AS UniqueSourceIPs,
    DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
    DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen
  FROM events
  WHERE
    username IS NOT NULL
    AND username NOT IN ('-', '', 'N/A', 'SYSTEM', 'anonymous logon', 'ANONYMOUS LOGON')
    AND username NOT LIKE '%$'
    AND category IN (5000, 5002)
    AND starttime > NOW() - 86400000
  GROUP BY username, domainid
  HAVING
    SUM(CASE WHEN category = 5002 THEN 1 ELSE 0 END) >= 5
    AND SUM(CASE WHEN category = 5000 THEN 1 ELSE 0 END) >= 1
) AS CredentialStuffing
ORDER BY RiskScore DESC, FailureCount DESC

high severity high confidence

Data Sources

Windows Security Event Log (QRadar DSM 12) Microsoft Azure Active Directory (QRadar DSM 352) Okta (QRadar DSM 617) IBM Security Identity and Access Assurance

Required Tables

events

False Positives

Helpdesk-assisted password resets where a support agent attempts authentication multiple times on behalf of an end user from the helpdesk workstation IP before succeeding, producing 5+ failures followed by a success under a single username
Automated deployment or CI/CD pipelines carrying stale service-account credentials that cycle through connection retries before a secrets-manager refresh injects the current token, generating repeated failure events in quick succession
QRadar log-source misconfiguration where a shared NAT egress IP aggregates authentication attempts from dozens of internal endpoints, inflating UniqueSourceIPs and producing risk-score spikes that do not reflect actual multi-source attacks

Sumo Logic CSE

sql

(_sourceCategory="os/windows/security"
  OR _sourceCategory="azure/signinlogs"
  OR _sourceCategory="okta/systemlog")
| parse field=_raw "EventCode=*" as EventCode nodrop
| parse field=_raw "\"resultType\":\"*\"" as ResultType nodrop
| parse field=_raw "TargetUserName=*\n" as TargetUser nodrop
| parse field=_raw "\"userPrincipalName\":\"*\"" as UPN nodrop
| parse field=_raw "IpAddress=*\n" as WinIP nodrop
| parse field=_raw "\"ipAddress\":\"*\"" as AzureIP nodrop
| eval AuthUser = if(!isNull(UPN) and UPN != "", UPN, TargetUser)
| eval SrcIP = if(!isNull(AzureIP) and AzureIP != "", AzureIP, WinIP)
| eval IsFailure = if(
    EventCode in ("4625", "4776")
    or (ResultType != "0" and !isNull(ResultType)
        and ResultType != "50053" and ResultType != "50076"),
    1, 0)
| eval IsSuccess = if(
    EventCode in ("4624", "4648")
    or ResultType == "0",
    1, 0)
| where !isNull(AuthUser)
  and AuthUser != "-"
  and AuthUser != ""
  and !matches(AuthUser, ".*\\$$")
| stats
    sum(IsFailure)         as FailureCount,
    sum(IsSuccess)         as SuccessCount,
    dcount(SrcIP)          as UniqueIPs,
    values(SrcIP)          as IPList,
    min(_messageTime)      as FirstSeen,
    max(_messageTime)      as LastSeen
    by AuthUser
| where FailureCount >= 5 and SuccessCount >= 1
| eval WindowMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| eval RiskScore = if(UniqueIPs > 10, 95,
                   if(UniqueIPs > 5,  85,
                   if(UniqueIPs > 2,  70, 55)))
| eval DetectionType = "CredentialStuffingThenSuccess"
| fields AuthUser, FailureCount, SuccessCount, UniqueIPs, IPList,
         WindowMinutes, RiskScore, DetectionType, FirstSeen, LastSeen
| sort by RiskScore desc

high severity medium confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Azure Active Directory Sign-in Logs via Azure Monitor or Diagnostic Settings Okta System Log via Sumo Logic Okta App Microsoft 365 Unified Audit Log

Required Tables

_sourceCategory matching os/windows/security _sourceCategory matching azure/signinlogs _sourceCategory matching okta/systemlog

False Positives

Users who forget their password after a long weekend or holiday and attempt several times before successfully invoking self-service password reset, particularly common at domain logon from new devices where cached credentials are absent
Scheduled tasks or service accounts with a stale password configuration that retry on a fixed interval until a secret-rotation job updates the stored credential, generating burst failures before a single success
Multi-tenant Sumo Logic deployments sharing a single _sourceCategory across multiple organisations where a common username (e.g. admin, administrator) exists in multiple tenants, causing cross-tenant aggregation that artificially inflates FailureCount

Google Chronicle / SecOps

yaral

rule t1586_impossible_travel_authentication {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects T1586 Compromise Accounts — impossible travel: a single identity authenticates successfully from two different countries within 60 minutes, strongly indicating stolen credentials or AiTM session-token theft via toolkits such as Evilginx2 or Modlishka"
    mitre_attack_tactic    = "Resource Development"
    mitre_attack_technique = "T1586"
    mitre_attack_subtechnique = "T1586.003"
    severity        = "CRITICAL"
    confidence      = "HIGH"
    reference       = "https://attack.mitre.org/techniques/T1586/"
    created         = "2025-01-01"

  events:
    // First successful authentication
    $e1.metadata.event_type = "USER_LOGIN"
    $e1.security_result.action = "ALLOW"
    $e1.principal.user.userid = $userid
    $e1.principal.location.country_or_region = $country1
    $country1 != ""
    $e1.principal.ip != ""

    // Second successful authentication — same user, different country
    $e2.metadata.event_type = "USER_LOGIN"
    $e2.security_result.action = "ALLOW"
    $e2.principal.user.userid = $userid
    $e2.principal.location.country_or_region = $country2
    $country2 != ""
    $e2.principal.ip != ""

    // Must originate from different countries
    $country1 != $country2

    // Second login must follow the first chronologically
    $e1.metadata.event_timestamp.seconds < $e2.metadata.event_timestamp.seconds

  match:
    $userid over 1h

  outcome:
    $risk_score      = max(90)
    $country_first   = array_distinct($e1.principal.location.country_or_region)
    $country_second  = array_distinct($e2.principal.location.country_or_region)
    $source_ips      = array_distinct($e1.principal.ip)
    $target_apps     = array_distinct($e1.target.application)

  condition:
    #e1 > 0 and #e2 > 0
}

critical severity high confidence

Data Sources

Google Workspace Activity via Chronicle ingestion Azure Active Directory Sign-in Logs via Chronicle ingestion Okta System Log via Chronicle SIEM connector Microsoft Entra ID via Google Chronicle

Required Tables

UDM events of type USER_LOGIN

False Positives

Corporate VPN services with geographically distributed exit nodes where a user connects to two different VPN gateways in sequence — the identity provider sees authentication from two countries while the user has not moved
CDN or reverse-proxy infrastructure that rewrites the source IP on authenticated API calls, causing the second programmatic authentication to appear to originate from the CDN's country rather than the user's country
Automated CI/CD or API integration service accounts that authenticate from cloud infrastructure in one AWS or GCP region while a developer simultaneously authenticates from their home country, both using the same service-account identity

CrowdStrike LogScale (CQL)

cql

// T1586 Compromise Accounts — Credential Stuffing via Falcon Identity Protection telemetry
#event_simpleName in ("UserLogon", "UserLogonFailed2", "AuthActivityAuditEvent")
| case {
    #event_simpleName = "UserLogon"        | IsSuccess := 1 | IsFailure := 0 ;
    #event_simpleName = "UserLogonFailed2" | IsSuccess := 0 | IsFailure := 1 ;
    *                                       | IsSuccess := 0 | IsFailure := 0 ;
  }
// Exclude machine accounts and empty usernames
| UserName != ""
| UserName != "-"
| not regex("^.+\\$$", field=UserName)
| groupBy(
    [UserName, UserDomain],
    function=[
      sum(IsFailure,   as=FailureCount),
      sum(IsSuccess,   as=SuccessCount),
      uniqueCount(RemoteAddressIP4, as=UniqueSourceIPs),
      collect(RemoteAddressIP4, limit=10, as=IPList),
      min(@timestamp,  as=FirstSeen),
      max(@timestamp,  as=LastSeen)
    ]
  )
// Apply thresholds matching the KQL/SPL originals
| FailureCount >= 5
| SuccessCount >= 1
// Risk scoring scaled to unique source IP spread
| RiskScore := if(UniqueSourceIPs > 10, 95,
               if(UniqueSourceIPs > 5,  85,
               if(UniqueSourceIPs > 2,  70, 55)))
| WindowMinutes := (LastSeen - FirstSeen) / 60000
| DetectionType := "CredentialStuffingThenSuccess"
| sort(RiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Identity Threat Detection (ITD) CrowdStrike Falcon Insight XDR endpoint telemetry CrowdStrike Falcon Identity Protection — Azure AD connector CrowdStrike Falcon Identity Protection — Okta connector

Required Tables

Falcon telemetry: UserLogon Falcon telemetry: UserLogonFailed2 Falcon telemetry: AuthActivityAuditEvent

False Positives

Endpoint provisioning or imaging workflows where automated scripts attempt domain authentication from a freshly joined machine before the credential is fully propagated through AD replication, producing several Kerberos pre-authentication failures before the first successful logon
Falcon sensor deployment on shared RDS or Citrix terminal servers where multiple users log in sequentially during a peak business window — session-count policies may reject the first few attempts as FAILURE events before one session slot opens and succeeds
Domain-trust validation or SCCM/MECM network discovery scans that probe authentication endpoints on a fixed schedule using service-account credentials, generating periodic bursts of failure events if the discovery target has a different authentication policy than expected

Last updated: 2026-04-13 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Compromise Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Resource Development

Popular Detections