Detect Credentials in Elastic Security
Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Sub-technique
- T1589.001 Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1589/001/
Elastic Detection Query
FROM logs-system.security-*, logs-windows.security-*, winlogbeat-*
| WHERE @timestamp > NOW() - 24 hours
| WHERE event.code IN ("4625", "4776")
| WHERE source.ip IS NOT NULL AND source.ip != "127.0.0.1" AND source.ip != "::1" AND source.ip != ""
| WHERE user.name IS NOT NULL AND user.name != "" AND user.name != "-" AND user.name != "ANONYMOUS LOGON"
| STATS
failed_attempts = COUNT(*),
unique_accounts = COUNT_DISTINCT(user.name),
first_seen = MIN(@timestamp),
last_seen = MAX(@timestamp)
BY source.ip, BUCKET(@timestamp, 1 hour)
| WHERE unique_accounts >= 10
| SORT unique_accounts DESCES|QL aggregation query detecting credential stuffing via Windows Security authentication failures (Event IDs 4625 and 4776). Groups events by source IP in one-hour buckets and surfaces source IPs that have failed authentication against 10 or more distinct user accounts — the defining signature of gathered credential testing (T1589.001). Deploy as a scheduled detection rule with threshold alerting. Note: uses ES|QL rather than EQL because this statistical aggregation pattern requires the piped query language rather than event-sequence EQL.
Data Sources
Required Tables
False Positives & Tuning
- Corporate NAT gateways or VPN concentrators where many internal users share a single external IP address, producing high per-IP failure counts from normal distributed authentication activity
- IT automation tools performing batch account provisioning, password rotation, or connectivity testing that trigger authentication failures across large account sets from a single service IP
- Authorized red team or penetration testing engagements using credential spraying tools against the organization's identity infrastructure without prior SOC notification
Other platforms for T1589.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Credential Stuffing Against Local Web Application
Expected signal: Web application access logs showing 10+ POST requests to /auth/login from 127.0.0.1 with distinct username values. HTTP 401 or 403 response codes for each attempt. If web application authentication failures are forwarded to SIEM, Event ID 4625 or equivalent application authentication failure events will appear. Network connection events (Sysmon Event ID 3) showing connections to 127.0.0.1:8080 from the executing process.
- Test 2Generate Windows Authentication Failures Across Multiple Accounts
Expected signal: Windows Security Event ID 4625 (An account failed to log on) generated for each username attempt, with LogonType=3 (network logon), SubStatus=0xC000006A (wrong password) or 0xC0000064 (unknown username), and Workstation=the local machine. Event ID 4776 (NTLM credential validation) may also appear. All events from source address 127.0.0.1 or machine name. Domain controllers will log these if the host is domain-joined.
- Test 3LaZagne Credential Harvester Execution (Test Mode)
Expected signal: Sysmon Event ID 1: Process Create for lazagne_test.exe with parent powershell.exe. Sysmon Event ID 11: File Create events for lazagne_test.exe download and results file. Sysmon Event ID 10: Process Access events if LaZagne accesses browser processes or LSASS. DeviceFileEvents in MDE showing access to Chrome Login Data, Firefox logins.json, or similar browser credential database files. Windows Defender may alert on LaZagne execution via AMSI.
- Test 4Credential Exposure Check in Git Repository
Expected signal: Process creation events for python3/pip3/trufflehog3 execution. File read events across the repository directory tree as the scanner reads source code files. Network connections if trufflehog connects to entropy analysis services. On Linux with auditd enabled: execve syscall events for python3 with trufflehog3 arguments in audit.log.
- Test 5Azure AD Credential Stuffing Simulation via PowerShell
Expected signal: Azure AD SigninLogs entries for each username with ResultType=50126 (invalid credentials) or ResultType=50034 (user does not exist), IPAddress reflecting the executing machine's public IP, AppDisplayName='Microsoft Azure PowerShell' or similar, UserPrincipalName set to each test account. Events appear in SigninLogs within 5-15 minutes of execution.
References (13)
- https://attack.mitre.org/techniques/T1589/001/
- https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
- https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
- https://www.secureworks.com/research/the-growing-threat-from-infostealers
- https://sec.okta.com/scatterswine
- https://github.com/dxa4481/truffleHog
- https://github.com/michenriksen/gitrob
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table
- https://github.com/AlessandroZ/LaZagne
- https://msrc.microsoft.com/blog/2021/10/microsoft-s-response-to-dea-0537
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Unlock Pro Content
Get the full detection package for T1589.001 including response playbook, investigation guide, and atomic red team tests.