Detect Compromise Accounts in Google Chronicle
This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/
YARA-L Detection Query
rule t1586_impossible_travel_authentication {
meta:
author = "Argus Detection Engineering"
description = "Detects T1586 Compromise Accounts — impossible travel: a single identity authenticates successfully from two different countries within 60 minutes, strongly indicating stolen credentials or AiTM session-token theft via toolkits such as Evilginx2 or Modlishka"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1586"
mitre_attack_subtechnique = "T1586.003"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1586/"
created = "2025-01-01"
events:
// First successful authentication
$e1.metadata.event_type = "USER_LOGIN"
$e1.security_result.action = "ALLOW"
$e1.principal.user.userid = $userid
$e1.principal.location.country_or_region = $country1
$country1 != ""
$e1.principal.ip != ""
// Second successful authentication — same user, different country
$e2.metadata.event_type = "USER_LOGIN"
$e2.security_result.action = "ALLOW"
$e2.principal.user.userid = $userid
$e2.principal.location.country_or_region = $country2
$country2 != ""
$e2.principal.ip != ""
// Must originate from different countries
$country1 != $country2
// Second login must follow the first chronologically
$e1.metadata.event_timestamp.seconds < $e2.metadata.event_timestamp.seconds
match:
$userid over 1h
outcome:
$risk_score = max(90)
$country_first = array_distinct($e1.principal.location.country_or_region)
$country_second = array_distinct($e2.principal.location.country_or_region)
$source_ips = array_distinct($e1.principal.ip)
$target_apps = array_distinct($e1.target.application)
condition:
#e1 > 0 and #e2 > 0
}Chronicle YARA-L 2.0 detection rule for T1586 using the impossible-travel signal: two UDM USER_LOGIN events with security_result.action ALLOW for the same userid but different principal.location.country_or_region values within a 60-minute match window. This pattern is a high-confidence indicator of credential theft or adversary-in-the-middle session hijacking, since no legitimate user can physically travel between countries in under an hour. The rule correlates events via the match block time window, binds the first and second login to separate event variables ($e1/$e2), and enforces chronological ordering. For credential-stuffing coverage deploy a companion rule that matches on #fail >= 5 and #success >= 1 for the same userid over 24h using security_result.action BLOCK and ALLOW respectively. Chronicle's UDM normalisation layer ingests Azure AD, Google Workspace, and Okta sources and maps them to the USER_LOGIN event type automatically.
Data Sources
Required Tables
False Positives & Tuning
- Corporate VPN services with geographically distributed exit nodes where a user connects to two different VPN gateways in sequence — the identity provider sees authentication from two countries while the user has not moved
- CDN or reverse-proxy infrastructure that rewrites the source IP on authenticated API calls, causing the second programmatic authentication to appear to originate from the CDN's country rather than the user's country
- Automated CI/CD or API integration service accounts that authenticate from cloud infrastructure in one AWS or GCP region while a developer simultaneously authenticates from their home country, both using the same service-account identity
Other platforms for T1586
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD
Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.
- Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)
Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.
- Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources
Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.
References (6)
- https://attack.mitre.org/techniques/T1586/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.justice.gov/opa/pr/nigerian-national-sentenced-prison-compromising-email-accounts-business-email-compromise
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://www.cisa.gov/sites/default/files/publications/Multifactor-Authentication-Fact-Sheet-FINAL.pdf
Unlock Pro Content
Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.