Detect Compromise Accounts in IBM QRadar
This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/
QRadar Detection Query
SELECT
username,
domainid,
FailureCount,
SuccessCount,
UniqueSourceIPs,
FirstSeen,
LastSeen,
CASE
WHEN UniqueSourceIPs > 10 THEN 95
WHEN UniqueSourceIPs > 5 THEN 85
WHEN UniqueSourceIPs > 2 THEN 70
ELSE 55
END AS RiskScore,
'CredentialStuffingThenSuccess' AS DetectionType
FROM (
SELECT
username,
domainid,
SUM(CASE WHEN category = 5002 THEN 1 ELSE 0 END) AS FailureCount,
SUM(CASE WHEN category = 5000 THEN 1 ELSE 0 END) AS SuccessCount,
UNIQUECOUNT(sourceip) AS UniqueSourceIPs,
DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen
FROM events
WHERE
username IS NOT NULL
AND username NOT IN ('-', '', 'N/A', 'SYSTEM', 'anonymous logon', 'ANONYMOUS LOGON')
AND username NOT LIKE '%$'
AND category IN (5000, 5002)
AND starttime > NOW() - 86400000
GROUP BY username, domainid
HAVING
SUM(CASE WHEN category = 5002 THEN 1 ELSE 0 END) >= 5
AND SUM(CASE WHEN category = 5000 THEN 1 ELSE 0 END) >= 1
) AS CredentialStuffing
ORDER BY RiskScore DESC, FailureCount DESCQRadar AQL query detecting T1586 credential stuffing by aggregating QRadar high-level category 5000 (Authentication Success) and 5002 (Authentication Failed) events over a rolling 24-hour window. Uses a subquery to compute per-account failure and success counts and unique source IPs, then applies risk scoring in the outer query. Machine accounts (username ending in $) and built-in system accounts are excluded. Map this query to a Custom Rule with an offense threshold of 1 and a time-based correlation window of 24 hours. Covers all log sources QRadar normalises to category 5000/5002, including Windows Security Event Log (DSM ID 12), Azure AD, and Okta DSM. For impossible-travel coverage, add a second AQL rule grouping by username and LOGSOURCEID filtered to logins with different CATEGORY_NAME values for the country field extracted via a custom event property.
Data Sources
Required Tables
False Positives & Tuning
- Helpdesk-assisted password resets where a support agent attempts authentication multiple times on behalf of an end user from the helpdesk workstation IP before succeeding, producing 5+ failures followed by a success under a single username
- Automated deployment or CI/CD pipelines carrying stale service-account credentials that cycle through connection retries before a secrets-manager refresh injects the current token, generating repeated failure events in quick succession
- QRadar log-source misconfiguration where a shared NAT egress IP aggregates authentication attempts from dozens of internal endpoints, inflating UniqueSourceIPs and producing risk-score spikes that do not reflect actual multi-source attacks
Other platforms for T1586
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD
Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.
- Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)
Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.
- Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources
Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.
References (6)
- https://attack.mitre.org/techniques/T1586/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.justice.gov/opa/pr/nigerian-national-sentenced-prison-compromising-email-accounts-business-email-compromise
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://www.cisa.gov/sites/default/files/publications/Multifactor-Authentication-Fact-Sheet-FINAL.pdf
Unlock Pro Content
Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.