Detect Credentials in Splunk
Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Sub-technique
- T1589.001 Credentials
- Canonical reference
- https://attack.mitre.org/techniques/T1589/001/
SPL Detection Query
// Detect credential stuffing via Windows Security Event logs (NTLM + Kerberos pre-auth failures)
// Targets: 4625 (failed logon), 4776 (NTLM credential validation failure)
index=wineventlog (sourcetype="WinEventLog:Security") (EventCode=4625 OR EventCode=4776)
| eval AccountName=coalesce('TargetUserName', 'Account_Name')
| eval SourceAddress=coalesce('IpAddress', 'Source_Network_Address', 'Workstation_Name')
| eval LogonType=coalesce('Logon_Type', "unknown")
| eval SubStatus=coalesce('Sub_Status', 'Status', "")
| where NOT (AccountName IN ("", "-", "ANONYMOUS LOGON", "IUSR") OR SourceAddress IN ("", "-", "::1", "127.0.0.1", "localhost"))
| bucket _time span=1h
| stats
count as TotalFailures,
dc(AccountName) as UniqueAccounts,
values(AccountName) as AccountList,
values(SubStatus) as SubStatusCodes,
values(LogonType) as LogonTypes,
earliest(_time) as FirstSeen,
latest(_time) as LastSeen
by _time, SourceAddress, host
| where UniqueAccounts >= 10
| appendcols
[search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
| eval SuccessSourceAddress=coalesce('IpAddress', 'Source_Network_Address', 'Workstation_Name')
| eval SuccessAccount=coalesce('TargetUserName', 'Account_Name')
| stats count as SuccessCount, values(SuccessAccount) as SuccessAccounts by SuccessSourceAddress
| rename SuccessSourceAddress as SourceAddress]
| eval SuccessCount=coalesce(SuccessCount, 0)
| eval IsSuccessfulStuffing=if(SuccessCount > 0, 1, 0)
| eval RiskScore=case(
IsSuccessfulStuffing=1 AND UniqueAccounts >= 50, "Critical",
IsSuccessfulStuffing=1 AND UniqueAccounts >= 10, "High",
IsSuccessfulStuffing=0 AND UniqueAccounts >= 50, "High",
IsSuccessfulStuffing=0 AND UniqueAccounts >= 10, "Medium",
1==1, "Low"
)
| table _time, host, SourceAddress, TotalFailures, UniqueAccounts, AccountList, SubStatusCodes, LogonTypes, SuccessCount, SuccessAccounts, IsSuccessfulStuffing, RiskScore, FirstSeen, LastSeen
| sort - UniqueAccountsDetects credential stuffing against Windows domain authentication infrastructure using Security Event logs. Monitors for high-volume authentication failures (EventCode 4625 — failed logon, EventCode 4776 — NTLM credential validation failure) originating from a single source IP targeting more than 10 distinct accounts within a one-hour window. The SubStatus codes are critical for analyst triage: 0xC000006A indicates wrong password (genuine credential stuffing), 0xC0000064 indicates invalid username, 0xC000006D indicates bad password with general failure, and 0xC000006F indicates account outside authorized hours. The appendcols join correlates against successful Event ID 4624 logons from the same source to identify successful stuffing. RiskScore escalates based on account volume and whether the attack resulted in successful authentication.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Corporate VPN concentrators or proxy servers with a single egress IP — many users behind the same outbound address triggering threshold from normal authentication patterns across business hours
- Misconfigured service accounts attempting authentication with incorrect credentials against domain controllers — service restart or config change scenarios
- Automated vulnerability scanners in the network that probe authentication services as part of authorized security assessments
- Legacy RADIUS or TACACS authentication relays that aggregate authentication failures from many endpoints under a single source IP
- Help desk tools performing bulk account status checks or password verification operations during incident response or provisioning workflows
Other platforms for T1589.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Credential Stuffing Against Local Web Application
Expected signal: Web application access logs showing 10+ POST requests to /auth/login from 127.0.0.1 with distinct username values. HTTP 401 or 403 response codes for each attempt. If web application authentication failures are forwarded to SIEM, Event ID 4625 or equivalent application authentication failure events will appear. Network connection events (Sysmon Event ID 3) showing connections to 127.0.0.1:8080 from the executing process.
- Test 2Generate Windows Authentication Failures Across Multiple Accounts
Expected signal: Windows Security Event ID 4625 (An account failed to log on) generated for each username attempt, with LogonType=3 (network logon), SubStatus=0xC000006A (wrong password) or 0xC0000064 (unknown username), and Workstation=the local machine. Event ID 4776 (NTLM credential validation) may also appear. All events from source address 127.0.0.1 or machine name. Domain controllers will log these if the host is domain-joined.
- Test 3LaZagne Credential Harvester Execution (Test Mode)
Expected signal: Sysmon Event ID 1: Process Create for lazagne_test.exe with parent powershell.exe. Sysmon Event ID 11: File Create events for lazagne_test.exe download and results file. Sysmon Event ID 10: Process Access events if LaZagne accesses browser processes or LSASS. DeviceFileEvents in MDE showing access to Chrome Login Data, Firefox logins.json, or similar browser credential database files. Windows Defender may alert on LaZagne execution via AMSI.
- Test 4Credential Exposure Check in Git Repository
Expected signal: Process creation events for python3/pip3/trufflehog3 execution. File read events across the repository directory tree as the scanner reads source code files. Network connections if trufflehog connects to entropy analysis services. On Linux with auditd enabled: execve syscall events for python3 with trufflehog3 arguments in audit.log.
- Test 5Azure AD Credential Stuffing Simulation via PowerShell
Expected signal: Azure AD SigninLogs entries for each username with ResultType=50126 (invalid credentials) or ResultType=50034 (user does not exist), IPAddress reflecting the executing machine's public IP, AppDisplayName='Microsoft Azure PowerShell' or similar, UserPrincipalName set to each test account. Events appear in SigninLogs within 5-15 minutes of execution.
References (13)
- https://attack.mitre.org/techniques/T1589/001/
- https://www.bleepingcomputer.com/news/security/2easy-now-a-significant-dark-web-marketplace-for-stolen-data/
- https://www.bleepingcomputer.com/news/security/dissecting-the-dark-web-supply-chain-stealer-logs-in-context/
- https://www.secureworks.com/research/the-growing-threat-from-infostealers
- https://sec.okta.com/scatterswine
- https://github.com/dxa4481/truffleHog
- https://github.com/michenriksen/gitrob
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table
- https://github.com/AlessandroZ/LaZagne
- https://msrc.microsoft.com/blog/2021/10/microsoft-s-response-to-dea-0537
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Unlock Pro Content
Get the full detection package for T1589.001 including response playbook, investigation guide, and atomic red team tests.