Detect VPN and Remote Access Credential Stuffing / Brute Force in Google Chronicle
Credential stuffing and brute force against VPN and remote access gateways is a persistent initial access vector for ransomware operators and nation-state actors. NCSC and CISA have repeatedly warned about Fortinet, Cisco ASA/FTD, Ivanti Connect Secure, Palo Alto GlobalProtect, and SonicWall VPN gateways being targeted. Attackers use credential databases from prior breaches and automated tools to test credentials at scale against VPN login portals. Unlike password spraying against M365, VPN credential stuffing often targets a single account at high frequency (bypassing account lockout through IP rotation) or uses a large pool of breached credential pairs. Volt Typhoon (China-nexus) specifically targets small business routers and VPN gateways for SOHO Living-off-the-Land access. Compromised VPN access gives attackers direct network access, bypassing perimeter defences entirely.
MITRE ATT&CK
- Tactic
- Credential Access Initial Access
YARA-L Detection Query
rule vpn_credential_stuffing {
meta:
author = "df00tech"
description = "Detects credential stuffing and brute force against VPN and remote access gateways"
severity = "HIGH"
priority = "HIGH"
reference = "NCSC Advisory AA24-060A, CISA Advisory AA23-347A"
threat_actors = "Volt Typhoon, LockBit affiliates"
mitre_attack_tactic = "Initial Access"
mitre_attack_technique = "T1110.004"
version = "1.0"
events:
$auth.metadata.event_type = "USER_LOGIN"
$auth.metadata.vendor_name = /(?i)(fortinet|cisco|palo alto|sonicwall|pulse secure|ivanti|juniper)/
(
$auth.security_result.action = "BLOCK"
OR $auth.security_result.action_details = /(?i)(fail|failure|invalid|reject|denied|bad.password)/
)
(
$auth.target.application = /(?i)(vpn|ssl.vpn|ipsec|remote.access)/
OR $auth.network.application_protocol = /(?i)(ipsec|ssl)/
)
$auth.principal.ip = $src_ip
$auth.target.ip = $dest_ip
match:
$src_ip, $dest_ip over 15m
outcome:
$failure_count = count_distinct($auth.metadata.id)
$unique_users = count_distinct($auth.target.user.userid)
$targeted_users = array_distinct($auth.target.user.userid)
$vendor = array_distinct($auth.metadata.vendor_name)
$severity_label = if($failure_count >= 100, "CRITICAL",
if($failure_count >= 50, "HIGH", "MEDIUM"))
condition:
#auth >= 20 or $unique_users >= 5
}YARA-L 2.0 rule for Google Chronicle SIEM that detects VPN credential stuffing by aggregating blocked or failed login events from VPN/remote access vendors over 15-minute windows. Triggers when 20+ failures originate from the same source IP targeting the same VPN gateway, or when 5+ unique user accounts are targeted.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled network monitoring or SIEM health-check tools generating repeated authentication attempts
- VPN clients with cached stale credentials retrying automatically after password changes
- Corporate proxy or NAT devices making all remote workers appear as a single source IP, inflating per-IP failure counts
- Red team or penetration testing engagements against VPN infrastructure
- ISP CGNAT causing unrelated users to share an IP that collectively exceeds thresholds
Other platforms for THREAT-VPN-CredentialStuffing
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1VPN Credential Stuffing Simulation via Python Requests
Expected signal: VPN authentication logs record multiple failures (error: invalid credentials) for multiple usernames from the test IP within the 15-minute window.
Unlock Pro Content
Get the full detection package for THREAT-VPN-CredentialStuffing including response playbook, investigation guide, and atomic red team tests.