T1589.001 Credentials Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Primary: Detect credential stuffing — gathered credentials being tested against Azure AD / Entra ID
// High volume of authentication failures across many distinct accounts from a single source IP
let StuffingAccountThreshold = 10;
let LookbackPeriod = 24h;
let TimeWindowBin = 1h;
let FailedSignins = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType !in ("0", "50140", "50074", "50076") // Exclude success, 'stay signed in', MFA interrupts
| where IPAddress != ""
| summarize
    FailedAttempts = count(),
    UniqueTargetAccounts = dcount(UserPrincipalName),
    TargetAccounts = make_set(UserPrincipalName, 25),
    TargetApps = make_set(AppDisplayName, 10),
    ErrorCodes = make_set(ResultType, 10),
    Countries = make_set(tostring(LocationDetails.countryOrRegion), 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by IPAddress, bin(TimeGenerated, TimeWindowBin);
FailedSignins
| where UniqueTargetAccounts >= StuffingAccountThreshold
| join kind=leftouter (
    SigninLogs
    | where TimeGenerated > ago(LookbackPeriod)
    | where ResultType == "0"
    | summarize
        SuccessfulLogins = count(),
        SuccessAccounts = make_set(UserPrincipalName, 10),
        SuccessApps = make_set(AppDisplayName, 5)
        by IPAddress
) on IPAddress
| extend SuccessfulLogins = coalesce(SuccessfulLogins, 0)
| extend IsSuccessfulStuffing = SuccessfulLogins > 0
| extend RiskScore = case(
    IsSuccessfulStuffing and UniqueTargetAccounts >= 50, "Critical",
    IsSuccessfulStuffing and UniqueTargetAccounts >= 10, "High",
    not IsSuccessfulStuffing and UniqueTargetAccounts >= 50, "High",
    not IsSuccessfulStuffing and UniqueTargetAccounts >= 10, "Medium",
    "Low"
)
| project
    TimeWindow = TimeGenerated,
    IPAddress,
    FailedAttempts,
    UniqueTargetAccounts,
    TargetAccounts,
    TargetApps,
    ErrorCodes,
    Countries,
    SuccessfulLogins,
    SuccessAccounts,
    IsSuccessfulStuffing,
    RiskScore,
    FirstSeen,
    LastSeen
| sort by UniqueTargetAccounts desc

high severity medium confidence

Data Sources

Authentication Logs: Azure AD / Entra ID Sign-in Logs Identity: Sign-in Activity Microsoft Sentinel: SigninLogs

Required Tables

SigninLogs

False Positives

Misconfigured applications using stale or rotated credentials — the app retries authentication against multiple user endpoints generating mass failures from a single service IP
Large corporate NAT gateway or shared egress IP — multiple users failing authentication over a short window may be attributed to the same external IP and exceed thresholds
Automated integration testing or load testing pipelines that enumerate user accounts against authentication endpoints as part of CI/CD validation
Password synchronization tools during bulk password resets — Active Directory federation services may produce burst authentication failures across many accounts
Legacy email clients or mobile apps that aggressively retry authentication after password changes, generating multi-account failures when service accounts share an IP

Splunk

spl

// Detect credential stuffing via Windows Security Event logs (NTLM + Kerberos pre-auth failures)
// Targets: 4625 (failed logon), 4776 (NTLM credential validation failure)
index=wineventlog (sourcetype="WinEventLog:Security") (EventCode=4625 OR EventCode=4776)
| eval AccountName=coalesce('TargetUserName', 'Account_Name')
| eval SourceAddress=coalesce('IpAddress', 'Source_Network_Address', 'Workstation_Name')
| eval LogonType=coalesce('Logon_Type', "unknown")
| eval SubStatus=coalesce('Sub_Status', 'Status', "")
| where NOT (AccountName IN ("", "-", "ANONYMOUS LOGON", "IUSR") OR SourceAddress IN ("", "-", "::1", "127.0.0.1", "localhost"))
| bucket _time span=1h
| stats
    count as TotalFailures,
    dc(AccountName) as UniqueAccounts,
    values(AccountName) as AccountList,
    values(SubStatus) as SubStatusCodes,
    values(LogonType) as LogonTypes,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by _time, SourceAddress, host
| where UniqueAccounts >= 10
| appendcols
    [search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
    | eval SuccessSourceAddress=coalesce('IpAddress', 'Source_Network_Address', 'Workstation_Name')
    | eval SuccessAccount=coalesce('TargetUserName', 'Account_Name')
    | stats count as SuccessCount, values(SuccessAccount) as SuccessAccounts by SuccessSourceAddress
    | rename SuccessSourceAddress as SourceAddress]
| eval SuccessCount=coalesce(SuccessCount, 0)
| eval IsSuccessfulStuffing=if(SuccessCount > 0, 1, 0)
| eval RiskScore=case(
    IsSuccessfulStuffing=1 AND UniqueAccounts >= 50, "Critical",
    IsSuccessfulStuffing=1 AND UniqueAccounts >= 10, "High",
    IsSuccessfulStuffing=0 AND UniqueAccounts >= 50, "High",
    IsSuccessfulStuffing=0 AND UniqueAccounts >= 10, "Medium",
    1==1, "Low"
)
| table _time, host, SourceAddress, TotalFailures, UniqueAccounts, AccountList, SubStatusCodes, LogonTypes, SuccessCount, SuccessAccounts, IsSuccessfulStuffing, RiskScore, FirstSeen, LastSeen
| sort - UniqueAccounts

high severity medium confidence

Data Sources

Authentication: Windows Security Event Log Process: Sysmon Windows Event ID 4625 — Failed Logon Windows Event ID 4776 — NTLM Credential Validation Windows Event ID 4624 — Successful Logon

Required Sourcetypes

WinEventLog:Security

False Positives

Corporate VPN concentrators or proxy servers with a single egress IP — many users behind the same outbound address triggering threshold from normal authentication patterns across business hours
Misconfigured service accounts attempting authentication with incorrect credentials against domain controllers — service restart or config change scenarios
Automated vulnerability scanners in the network that probe authentication services as part of authorized security assessments
Legacy RADIUS or TACACS authentication relays that aggregate authentication failures from many endpoints under a single source IP
Help desk tools performing bulk account status checks or password verification operations during incident response or provisioning workflows

Elastic Security (EQL)

eql

FROM logs-system.security-*, logs-windows.security-*, winlogbeat-*
| WHERE @timestamp > NOW() - 24 hours
| WHERE event.code IN ("4625", "4776")
| WHERE source.ip IS NOT NULL AND source.ip != "127.0.0.1" AND source.ip != "::1" AND source.ip != ""
| WHERE user.name IS NOT NULL AND user.name != "" AND user.name != "-" AND user.name != "ANONYMOUS LOGON"
| STATS
    failed_attempts = COUNT(*),
    unique_accounts = COUNT_DISTINCT(user.name),
    first_seen = MIN(@timestamp),
    last_seen = MAX(@timestamp)
  BY source.ip, BUCKET(@timestamp, 1 hour)
| WHERE unique_accounts >= 10
| SORT unique_accounts DESC

high severity high confidence

Data Sources

Windows Security Event Log Elastic Agent System Integration (logs-system.security-*) Winlogbeat

Required Tables

logs-system.security-* logs-windows.security-* winlogbeat-*

False Positives

Corporate NAT gateways or VPN concentrators where many internal users share a single external IP address, producing high per-IP failure counts from normal distributed authentication activity
IT automation tools performing batch account provisioning, password rotation, or connectivity testing that trigger authentication failures across large account sets from a single service IP
Authorized red team or penetration testing engagements using credential spraying tools against the organization's identity infrastructure without prior SOC notification

IBM QRadar (AQL)

sql

SELECT
    sourceip,
    DATEFORMAT(devicetime/1000, 'yyyy-MM-dd HH:00:00') AS time_window,
    COUNT(*) AS total_failures,
    COUNT(DISTINCT username) AS unique_accounts,
    MIN(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS first_seen,
    MAX(DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss')) AS last_seen,
    LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPEID = 12
    AND eventid IN (4625, 4776)
    AND sourceip IS NOT NULL
    AND sourceip NOT IN ('127.0.0.1', '0:0:0:0:0:0:0:1', '::1')
    AND username IS NOT NULL
    AND username NOT IN ('', '-', 'ANONYMOUS LOGON', 'IUSR')
GROUP BY sourceip, DATEFORMAT(devicetime/1000, 'yyyy-MM-dd HH:00:00')
HAVING COUNT(DISTINCT username) >= 10
ORDER BY unique_accounts DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log collected via QRadar WinCollect agent or LEEF/Syslog forwarding from domain controllers and member servers

Required Tables

events

False Positives

Domain controllers acting as Kerberos KDC or NTLM authentication proxies for jump server traffic, where all remote desktop authentication from a terminal services host appears under a single source IP
Network access control (NAC) or 802.1X authentication systems that validate credentials for large numbers of endpoint devices from a centralized authentication proxy IP
Vulnerability management platforms or SIEM correlation agents performing scheduled credential validation health checks that generate bursts of authentication failures across monitored accounts

Sumo Logic CSE

sql

(_sourceCategory="Windows/Security" OR _sourceCategory="os/windows/security" OR _sourceCategory="wineventlog:security")
| where EventCode in ("4625","4776")
| parse regex "(?:IpAddress|Source_Network_Address|Workstation_Name)[\s\S]{1,15}?(?P<SourceIP>(?:[0-9]{1,3}\.){3}[0-9]{1,3})" nodrop
| parse regex "(?:TargetUserName|Account_Name)[\s\S]{1,10}?(?P<AccountName>[A-Za-z0-9._@\-]+)" nodrop
| where !isNull(AccountName) and !(AccountName in ("","-","ANONYMOUS LOGON","IUSR"))
| where !isNull(SourceIP) and !(SourceIP in ("","-","127.0.0.1","::1","localhost"))
| timeslice 1h
| count_distinct(AccountName) as UniqueAccounts, count as TotalFailures by SourceIP, _timeslice
| where UniqueAccounts >= 10
| sort by UniqueAccounts desc

high severity medium confidence

Data Sources

Windows Security Event Log forwarded via Sumo Logic Installed Collector on Windows hosts or domain controllers

Required Tables

Windows/Security source category

False Positives

Shared kiosk or thin-client workstations where multiple users attempt login from the same endpoint IP, producing naturally high unique-account failure rates without malicious intent
Active Directory Federation Services (ADFS) or Azure AD Connect sync processes that proxy authentication for large user populations through a single federation server IP
IT helpdesk ticketing integrations or automated account verification scripts that periodically test a large list of user accounts from a service account host, generating bulk authentication failures

Google Chronicle / SecOps

yaral

rule t1589_001_credential_stuffing {
  meta:
    author = "Detection Engineering"
    description = "Detects credential stuffing — high volume authentication failures across many distinct accounts from a single source IP, indicating use of gathered credentials (T1589.001)"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1589.001"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "BLOCK"
    $e.principal.ip = $src_ip
    $e.target.user.userid = $uid
    $src_ip != ""
    $src_ip != "127.0.0.1"
    $src_ip != "::1"
    $uid != ""
    $uid != "-"

  match:
    $src_ip over 1h

  condition:
    #uid > 10
}

high severity high confidence

Data Sources

Chronicle UDM normalized authentication events ingested from Windows Security Event Log, Azure AD Sign-in Logs, Okta System Log, or Google Workspace Login Activity

Required Tables

UDM events with metadata.event_type = USER_LOGIN

False Positives

Multi-tenant cloud service providers or SaaS platforms where user authentication egresses through shared carrier-grade NAT IP ranges, causing many distinct user auth failures to appear as single-source stuffing
Enterprise Single Sign-On (SSO) proxy services that concentrate authentication for thousands of employees through a limited set of outbound IPs visible to Chronicle's UDM ingestion pipeline
Internal security monitoring honeypots or deception platforms that generate synthetic USER_LOGIN BLOCK events deliberately, which may contribute to the distinct-UID count and trigger the rule threshold

CrowdStrike LogScale (CQL)

cql

#event_simpleName = UserLogonFailed
| UserName != "" AND UserName != "-" AND UserName != "ANONYMOUS LOGON" AND UserName != "SYSTEM"
| aip != "" AND aip != "127.0.0.1" AND aip != "::1"
| groupBy([aip, ComputerName], function=[
    count(as=TotalFailures),
    count(field=UserName, distinct=true, as=UniqueAccounts),
    collect(UserName, limit=25, as=AccountList),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| where UniqueAccounts >= 10
| sort(UniqueAccounts, order=desc)
| table([aip, ComputerName, TotalFailures, UniqueAccounts, AccountList, FirstSeen, LastSeen])

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor endpoint telemetry — UserLogonFailed events streamed to Falcon LogScale via Falcon Data Replicator or native LogScale ingestion

Required Tables

Falcon telemetry events — #event_simpleName=UserLogonFailed

False Positives

Endpoint management or software deployment agents using rotating service credentials that generate sustained authentication failures across fleet endpoints when credential rotation stalls or misconfigures mid-rollout
Domain-joined machines behind enterprise NAT where all outbound authentication appears under a shared external IP (aip), conflating legitimate distributed auth failures from many users into a single apparent source
Authorized internal red team infrastructure or security tooling running from a Falcon-enrolled endpoint, causing the sensor to capture and surface the tool's credential testing activity as UserLogonFailed telemetry attributed to the tool's host IP

Credentials

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections