Detect Compromise Accounts in Splunk
This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1586 Compromise Accounts
- Canonical reference
- https://attack.mitre.org/techniques/T1586/
SPL Detection Query
index=* (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
EventCode IN (4624, 4625, 4648, 4776)
| eval AuthResult=case(
EventCode=="4624", "Success",
EventCode=="4625", "Failure",
EventCode=="4648", "ExplicitCred",
EventCode=="4776", "KerberosValidation",
true(), "Unknown"
)
| eval TargetUser=coalesce('TargetUserName', 'Account_Name')
| where TargetUser!="-" AND TargetUser!="" AND NOT match(TargetUser, "^\$$")
| eval IpAddress=coalesce('IpAddress', 'Source_Network_Address')
| eval IpAddress=if(IpAddress=="-" OR IpAddress="127.0.0.1" OR IpAddress="::1", null(), IpAddress)
| stats
count(eval(AuthResult=="Failure")) AS FailureCount,
count(eval(AuthResult=="Success" OR AuthResult=="ExplicitCred")) AS SuccessCount,
dc(IpAddress) AS UniqueIPs,
values(IpAddress) AS IPList,
values(WorkstationName) AS WorkstationList,
min(_time) AS FirstSeen,
max(_time) AS LastSeen
by TargetUser, TargetDomainName
| where FailureCount >= 5 AND SuccessCount >= 1
| eval WindowMinutes=round((LastSeen - FirstSeen) / 60, 1)
| eval RiskScore=case(
UniqueIPs > 10, 95,
UniqueIPs > 5, 85,
UniqueIPs > 2, 70,
true(), 55
)
| eval DetectionType="CredentialStuffingThenSuccess"
| table TargetUser, TargetDomainName, FailureCount, SuccessCount, UniqueIPs,
IPList, WorkstationList, WindowMinutes, RiskScore, DetectionType, FirstSeen, LastSeen
| sort - RiskScoreDetects credential stuffing and account compromise patterns using Windows Security event logs by correlating authentication failures (EventID 4625, 4776) with subsequent successes (EventID 4624, 4648) per user account. Flags accounts with 5 or more failures followed by at least one success, enriches with unique source IP count for risk scoring, and surfaces the source workstations and IP addresses for rapid analyst triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Service accounts with stale cached credentials during password rotation will generate failure spikes followed by a successful login once credentials are updated; maintain a service account allowlist and correlate with change management windows
- Kerberos pre-authentication failures (EventCode 4771) for accounts with clock skew or misconfigured SPNs may appear before a successful 4624; verify Kerberos failure sub-status codes and correlate with DC time sync logs
- Domain controller replication events and inter-domain trust authentication can produce 4776 failures from machine accounts before succeeding; filter TargetUserName ending in '$' to exclude machine accounts
Other platforms for T1586
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD
Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.
- Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)
Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.
- Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources
Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.
References (6)
- https://attack.mitre.org/techniques/T1586/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.justice.gov/opa/pr/nigerian-national-sentenced-prison-compromising-email-accounts-business-email-compromise
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection
- https://www.cisa.gov/sites/default/files/publications/Multifactor-Authentication-Fact-Sheet-FINAL.pdf
Unlock Pro Content
Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.