T1586 CrowdStrike LogScale · LogScale

Detect Compromise Accounts in CrowdStrike LogScale

This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1586 Compromise Accounts
Canonical reference
https://attack.mitre.org/techniques/T1586/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1586 Compromise Accounts — Credential Stuffing via Falcon Identity Protection telemetry
#event_simpleName in ("UserLogon", "UserLogonFailed2", "AuthActivityAuditEvent")
| case {
    #event_simpleName = "UserLogon"        | IsSuccess := 1 | IsFailure := 0 ;
    #event_simpleName = "UserLogonFailed2" | IsSuccess := 0 | IsFailure := 1 ;
    *                                       | IsSuccess := 0 | IsFailure := 0 ;
  }
// Exclude machine accounts and empty usernames
| UserName != ""
| UserName != "-"
| not regex("^.+\\$$", field=UserName)
| groupBy(
    [UserName, UserDomain],
    function=[
      sum(IsFailure,   as=FailureCount),
      sum(IsSuccess,   as=SuccessCount),
      uniqueCount(RemoteAddressIP4, as=UniqueSourceIPs),
      collect(RemoteAddressIP4, limit=10, as=IPList),
      min(@timestamp,  as=FirstSeen),
      max(@timestamp,  as=LastSeen)
    ]
  )
// Apply thresholds matching the KQL/SPL originals
| FailureCount >= 5
| SuccessCount >= 1
// Risk scoring scaled to unique source IP spread
| RiskScore := if(UniqueSourceIPs > 10, 95,
               if(UniqueSourceIPs > 5,  85,
               if(UniqueSourceIPs > 2,  70, 55)))
| WindowMinutes := (LastSeen - FirstSeen) / 60000
| DetectionType := "CredentialStuffingThenSuccess"
| sort(RiskScore, order=desc)
high severity medium confidence

CrowdStrike Falcon LogScale query correlating UserLogon (success) and UserLogonFailed2 (failure) events from Falcon's endpoint telemetry and Identity Protection module. Pre-classifies each event as success or failure using a case expression, excludes machine accounts and empty usernames, then groups by username and domain to compute failure count, success count, unique source IPs, and time window. Applies the same thresholds as the originating KQL and SPL queries (FailureCount >= 5, SuccessCount >= 1) and produces a risk score scaled to IP spread. Requires Falcon Identity Threat Detection (ITD) or Falcon Identity Protection licensing for domain-joined Windows endpoints; cloud identity provider sign-in events (Azure AD, Okta) are available when the Falcon Identity connector is configured. Save as a Scheduled Alert with a 24-hour lookback window and alert on any result. For ASN-based detection, supplement with an ExternalIP enrichment lookup and filter on ASN names matching bulletproof hosting providers.

Data Sources

CrowdStrike Falcon Identity Threat Detection (ITD)CrowdStrike Falcon Insight XDR endpoint telemetryCrowdStrike Falcon Identity Protection — Azure AD connectorCrowdStrike Falcon Identity Protection — Okta connector

Required Tables

Falcon telemetry: UserLogonFalcon telemetry: UserLogonFailed2Falcon telemetry: AuthActivityAuditEvent

False Positives & Tuning

  • Endpoint provisioning or imaging workflows where automated scripts attempt domain authentication from a freshly joined machine before the credential is fully propagated through AD replication, producing several Kerberos pre-authentication failures before the first successful logon
  • Falcon sensor deployment on shared RDS or Citrix terminal servers where multiple users log in sequentially during a peak business window — session-count policies may reject the first few attempts as FAILURE events before one session slot opens and succeeds
  • Domain-trust validation or SCCM/MECM network discovery scans that probe authentication endpoints on a fixed schedule using service-account credentials, generating periodic bursts of failure events if the discovery target has a different authentication policy than expected
Download portable Sigma rule (.yml)

Other platforms for T1586

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD

    Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.

  2. Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)

    Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.

  3. Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources

    Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1598Phishing for InformationT1110Brute ForceT1110.001Password GuessingT1110.004Credential StuffingT1566PhishingT1534Internal SpearphishingT1539Steal Web Session CookieT1078Valid AccountsT1585Establish AccountsT1586.001Social Media AccountsT1586.002Email AccountsT1586.003Cloud Accounts

Same Tactic: Resource Development

Popular Detections