T1589.001 CrowdStrike LogScale · LogScale

Detect Credentials in CrowdStrike LogScale

Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Sub-technique
T1589.001 Credentials
Canonical reference
https://attack.mitre.org/techniques/T1589/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = UserLogonFailed
| UserName != "" AND UserName != "-" AND UserName != "ANONYMOUS LOGON" AND UserName != "SYSTEM"
| aip != "" AND aip != "127.0.0.1" AND aip != "::1"
| groupBy([aip, ComputerName], function=[
    count(as=TotalFailures),
    count(field=UserName, distinct=true, as=UniqueAccounts),
    collect(UserName, limit=25, as=AccountList),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ])
| where UniqueAccounts >= 10
| sort(UniqueAccounts, order=desc)
| table([aip, ComputerName, TotalFailures, UniqueAccounts, AccountList, FirstSeen, LastSeen])
high severity medium confidence

CrowdStrike Falcon LogScale (CQL) query using endpoint telemetry UserLogonFailed events captured by the Falcon sensor. Groups failed logon attempts by associated source IP (aip field) and reporting host (ComputerName), counting distinct targeted usernames per source. Surfaces attacker IPs generating failures against 10 or more distinct accounts, consistent with credential stuffing using gathered credentials (T1589.001). Best paired with a 24-hour relative time window in Falcon LogScale. Note: aip reflects the Falcon sensor's view of the authentication source IP, which is most reliable on domain controllers processing network logons.

Data Sources

CrowdStrike Falcon sensor endpoint telemetry — UserLogonFailed events streamed to Falcon LogScale via Falcon Data Replicator or native LogScale ingestion

Required Tables

Falcon telemetry events — #event_simpleName=UserLogonFailed

False Positives & Tuning

  • Endpoint management or software deployment agents using rotating service credentials that generate sustained authentication failures across fleet endpoints when credential rotation stalls or misconfigures mid-rollout
  • Domain-joined machines behind enterprise NAT where all outbound authentication appears under a shared external IP (aip), conflating legitimate distributed auth failures from many users into a single apparent source
  • Authorized internal red team infrastructure or security tooling running from a Falcon-enrolled endpoint, causing the sensor to capture and surface the tool's credential testing activity as UserLogonFailed telemetry attributed to the tool's host IP
Download portable Sigma rule (.yml)

Other platforms for T1589.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Credential Stuffing Against Local Web Application

    Expected signal: Web application access logs showing 10+ POST requests to /auth/login from 127.0.0.1 with distinct username values. HTTP 401 or 403 response codes for each attempt. If web application authentication failures are forwarded to SIEM, Event ID 4625 or equivalent application authentication failure events will appear. Network connection events (Sysmon Event ID 3) showing connections to 127.0.0.1:8080 from the executing process.

  2. Test 2Generate Windows Authentication Failures Across Multiple Accounts

    Expected signal: Windows Security Event ID 4625 (An account failed to log on) generated for each username attempt, with LogonType=3 (network logon), SubStatus=0xC000006A (wrong password) or 0xC0000064 (unknown username), and Workstation=the local machine. Event ID 4776 (NTLM credential validation) may also appear. All events from source address 127.0.0.1 or machine name. Domain controllers will log these if the host is domain-joined.

  3. Test 3LaZagne Credential Harvester Execution (Test Mode)

    Expected signal: Sysmon Event ID 1: Process Create for lazagne_test.exe with parent powershell.exe. Sysmon Event ID 11: File Create events for lazagne_test.exe download and results file. Sysmon Event ID 10: Process Access events if LaZagne accesses browser processes or LSASS. DeviceFileEvents in MDE showing access to Chrome Login Data, Firefox logins.json, or similar browser credential database files. Windows Defender may alert on LaZagne execution via AMSI.

  4. Test 4Credential Exposure Check in Git Repository

    Expected signal: Process creation events for python3/pip3/trufflehog3 execution. File read events across the repository directory tree as the scanner reads source code files. Network connections if trufflehog connects to entropy analysis services. On Linux with auditd enabled: execve syscall events for python3 with trufflehog3 arguments in audit.log.

  5. Test 5Azure AD Credential Stuffing Simulation via PowerShell

    Expected signal: Azure AD SigninLogs entries for each username with ResultType=50126 (invalid credentials) or ResultType=50034 (user does not exist), IPAddress reflecting the executing machine's public IP, AppDisplayName='Microsoft Azure PowerShell' or similar, UserPrincipalName set to each test account. Events appear in SigninLogs within 5-15 minutes of execution.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1589.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1589Gather Victim Identity Information

Related Sub-techniques

T1589.002Email AddressesT1589.003Employee Names

Related Techniques

T1589Gather Victim Identity InformationT1598Phishing for InformationT1598.003Spearphishing LinkT1078Valid AccountsT1078.004Cloud AccountsT1110.004Credential StuffingT1110.003Password SprayingT1586.002Email AccountsT1556Modify Authentication ProcessT1555Credentials from Password StoresT1003OS Credential Dumping

Same Tactic: Reconnaissance

Popular Detections