T1589.001 Sumo Logic CSE · Sumo

Detect Credentials in Sumo Logic CSE

Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Sub-technique
T1589.001 Credentials
Canonical reference
https://attack.mitre.org/techniques/T1589/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="Windows/Security" OR _sourceCategory="os/windows/security" OR _sourceCategory="wineventlog:security")
| where EventCode in ("4625","4776")
| parse regex "(?:IpAddress|Source_Network_Address|Workstation_Name)[\s\S]{1,15}?(?P<SourceIP>(?:[0-9]{1,3}\.){3}[0-9]{1,3})" nodrop
| parse regex "(?:TargetUserName|Account_Name)[\s\S]{1,10}?(?P<AccountName>[A-Za-z0-9._@\-]+)" nodrop
| where !isNull(AccountName) and !(AccountName in ("","-","ANONYMOUS LOGON","IUSR"))
| where !isNull(SourceIP) and !(SourceIP in ("","-","127.0.0.1","::1","localhost"))
| timeslice 1h
| count_distinct(AccountName) as UniqueAccounts, count as TotalFailures by SourceIP, _timeslice
| where UniqueAccounts >= 10
| sort by UniqueAccounts desc
high severity medium confidence

Sumo Logic search query against Windows Security Event Log data. Parses authentication failure events (4625: failed logon, 4776: NTLM failure) using regex field extraction to identify source IP and targeted account name, then applies timeslice aggregation into one-hour windows. Source IPs with 10 or more unique failed account targets within a one-hour bucket are flagged as potential credential stuffing (T1589.001). Adjust _sourceCategory values to match your collector configuration.

Data Sources

Windows Security Event Log forwarded via Sumo Logic Installed Collector on Windows hosts or domain controllers

Required Tables

Windows/Security source category

False Positives & Tuning

  • Shared kiosk or thin-client workstations where multiple users attempt login from the same endpoint IP, producing naturally high unique-account failure rates without malicious intent
  • Active Directory Federation Services (ADFS) or Azure AD Connect sync processes that proxy authentication for large user populations through a single federation server IP
  • IT helpdesk ticketing integrations or automated account verification scripts that periodically test a large list of user accounts from a service account host, generating bulk authentication failures
Download portable Sigma rule (.yml)

Other platforms for T1589.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Credential Stuffing Against Local Web Application

    Expected signal: Web application access logs showing 10+ POST requests to /auth/login from 127.0.0.1 with distinct username values. HTTP 401 or 403 response codes for each attempt. If web application authentication failures are forwarded to SIEM, Event ID 4625 or equivalent application authentication failure events will appear. Network connection events (Sysmon Event ID 3) showing connections to 127.0.0.1:8080 from the executing process.

  2. Test 2Generate Windows Authentication Failures Across Multiple Accounts

    Expected signal: Windows Security Event ID 4625 (An account failed to log on) generated for each username attempt, with LogonType=3 (network logon), SubStatus=0xC000006A (wrong password) or 0xC0000064 (unknown username), and Workstation=the local machine. Event ID 4776 (NTLM credential validation) may also appear. All events from source address 127.0.0.1 or machine name. Domain controllers will log these if the host is domain-joined.

  3. Test 3LaZagne Credential Harvester Execution (Test Mode)

    Expected signal: Sysmon Event ID 1: Process Create for lazagne_test.exe with parent powershell.exe. Sysmon Event ID 11: File Create events for lazagne_test.exe download and results file. Sysmon Event ID 10: Process Access events if LaZagne accesses browser processes or LSASS. DeviceFileEvents in MDE showing access to Chrome Login Data, Firefox logins.json, or similar browser credential database files. Windows Defender may alert on LaZagne execution via AMSI.

  4. Test 4Credential Exposure Check in Git Repository

    Expected signal: Process creation events for python3/pip3/trufflehog3 execution. File read events across the repository directory tree as the scanner reads source code files. Network connections if trufflehog connects to entropy analysis services. On Linux with auditd enabled: execve syscall events for python3 with trufflehog3 arguments in audit.log.

  5. Test 5Azure AD Credential Stuffing Simulation via PowerShell

    Expected signal: Azure AD SigninLogs entries for each username with ResultType=50126 (invalid credentials) or ResultType=50034 (user does not exist), IPAddress reflecting the executing machine's public IP, AppDisplayName='Microsoft Azure PowerShell' or similar, UserPrincipalName set to each test account. Events appear in SigninLogs within 5-15 minutes of execution.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1589.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1589Gather Victim Identity Information

Related Sub-techniques

T1589.002Email AddressesT1589.003Employee Names

Related Techniques

T1589Gather Victim Identity InformationT1598Phishing for InformationT1598.003Spearphishing LinkT1078Valid AccountsT1078.004Cloud AccountsT1110.004Credential StuffingT1110.003Password SprayingT1586.002Email AccountsT1556Modify Authentication ProcessT1555Credentials from Password StoresT1003OS Credential Dumping

Same Tactic: Reconnaissance

Popular Detections