Detect Compromise Accounts in Elastic Security
This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/
Elastic Detection Query
/* Signal 1: Credential Stuffing — 5+ failures then success within 24h */
sequence by user.name with maxspan=24h
[authentication where event.outcome == "failure"
and not (event.provider : "azure_ad"
and error.code : ("50053", "50076"))]
with runs=5
[authentication where event.outcome == "success"]
/* Signal 2: Successful login from bulletproof / anonymisation ASN — deploy as a separate detection rule:
authentication where event.outcome == "success"
and source.as.organization.name : (
"M247*", "Frantech*", "Sharktech*", "Psychz*",
"Quasi Networks*", "Alexhost*", "Serverius*", "Combahton*",
"FranTech*", "ITL-Bulgaria*"
)
and user.name != null
and user.domain != null
*/
/* Signal 3: Impossible travel — two successful logins from different countries
within 60 min cannot be expressed in EQL (no multi-event aggregation).
Implement as an ES|QL query:
FROM logs-azure.signinlogs-*
| WHERE event.outcome == "success"
AND source.geo.country_iso_code IS NOT NULL
| STATS countries = COUNT_DISTINCT(source.geo.country_iso_code),
ip_list = VALUES(source.ip)
BY user.name, BUCKET(@timestamp, 1 hour)
| WHERE countries > 1
*/Detects T1586 Compromise Accounts via two deployable signals. Signal 1 uses an EQL sequence to identify credential stuffing: five or more authentication failures followed by a successful login for the same identity within 24 hours, skipping Azure AD lockout and MFA-challenge noise codes 50053 and 50076. Signal 2 (included as a comment for separate deployment) fires on any successful authentication originating from ASNs associated with bulletproof hosting or anonymisation infrastructure. Signal 3 (impossible travel) requires ES|QL due to EQL's event-centric model and is provided as a companion query. The sequence approach minimises false positives by requiring the success to follow the failures rather than treating them independently.
Data Sources
Required Tables
False Positives & Tuning
- Authorised red-team or penetration-testing exercises deliberately generating credential stuffing patterns against internal accounts — confirm against a known-testing calendar before escalating
- Corporate VPN or cloud proxy services whose exit nodes are hosted on ASNs flagged as bulletproof hosting (M247 carries significant legitimate SaaS traffic); validate by correlating the device identity and enriching the IP against threat-intel feeds rather than relying solely on ASN name
- Users who forget their password on a Monday morning and attempt several times before successfully using a self-service reset link, producing the failure-then-success pattern from a single residential IP
- Service accounts with scheduled tasks carrying a stale password that retry authentication until the credential rotation cycle completes and the new secret is injected
- Password-change flows in Azure AD that briefly invalidate the session token and trigger a transient 401/failure before the new credential is accepted
Other platforms for T1586
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD
Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.
- Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)
Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.
- Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources
Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.
References (6)
- https://attack.mitre.org/techniques/T1586/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.justice.gov/opa/pr/nigerian-national-sentenced-prison-compromising-email-accounts-business-email-compromise
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://www.cisa.gov/sites/default/files/publications/Multifactor-Authentication-Fact-Sheet-FINAL.pdf
Unlock Pro Content
Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.