THREAT-VPN-CredentialStuffing CrowdStrike LogScale · LogScale

Detect VPN and Remote Access Credential Stuffing / Brute Force in CrowdStrike LogScale

Credential stuffing and brute force against VPN and remote access gateways is a persistent initial access vector for ransomware operators and nation-state actors. NCSC and CISA have repeatedly warned about Fortinet, Cisco ASA/FTD, Ivanti Connect Secure, Palo Alto GlobalProtect, and SonicWall VPN gateways being targeted. Attackers use credential databases from prior breaches and automated tools to test credentials at scale against VPN login portals. Unlike password spraying against M365, VPN credential stuffing often targets a single account at high frequency (bypassing account lockout through IP rotation) or uses a large pool of breached credential pairs. Volt Typhoon (China-nexus) specifically targets small business routers and VPN gateways for SOHO Living-off-the-Land access. Compromised VPN access gives attackers direct network access, bypassing perimeter defences entirely.

MITRE ATT&CK

Tactic
Credential Access Initial Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Alert 1: High-volume VPN authentication failures (CrowdStrike Falcon LogScale / Next-Gen SIEM)
#event_simpleName = "NetworkConnectionIP4"
| vendor = /(?i)(fortinet|cisco|palo.alto|sonicwall|pulse.secure|ivanti|juniper)/i
| activity = /(?i)(vpn|ssl-vpn|ipsec|remote-access|authentication)/i
| action = /(?i)(fail|failure|invalid|reject|denied|blocked)/i
| groupBy([RemoteAddressIP4, LocalAddressIP4, vendor], function=[
    count(aid, as=FailureCount),
    count(distinct=UserName, as=UniqueUsers),
    collect(UserName, max=50, as=TargetedUsers),
    count(distinct=RemoteAddressIP4, as=UniqueSourceIPs)
  ],
  limit=max, start=24h
)
| FailureCount >= 20 OR UniqueUsers >= 5
| eval Severity := case {
    FailureCount >= 100 => "CRITICAL",
    FailureCount >= 50  => "HIGH",
    default             => "MEDIUM"
  }
| eval ThreatType := "VPN_CredentialStuffing"
| eval ThreatActors := "Volt Typhoon, LockBit affiliates, GhostSec"
| sort(FailureCount, order=desc, limit=1000)

// Alert 2: Successful VPN login from previously-failing IP
// Step 1 — build failing IP set
// #event_simpleName = "NetworkConnectionIP4"
// | action = /(?i)(fail|failure|reject|denied)/i
// | activity = /(?i)(vpn|ssl-vpn|remote-access)/i
// | groupBy([RemoteAddressIP4], function=count(aid, as=Failures), limit=max, start=24h)
// | Failures >= 10
// | saveToLookup("VPN_FailingIPs", field=RemoteAddressIP4, ttl=86400)
// Step 2 — match successes to that set
#event_simpleName = "NetworkConnectionIP4"
| action = /(?i)(success|established|connected|authenticated)/i
| activity = /(?i)(vpn|ssl-vpn|remote-access)/i
| match("VPN_FailingIPs", field=RemoteAddressIP4, include=[])
| eval ThreatType := "VPN_SuccessAfterCredentialStuffing"
| eval Severity := "CRITICAL"
| select([timestamp, RemoteAddressIP4, UserName, LocalAddressIP4, vendor, action, ThreatType, Severity])
high severity high confidence

Two-part CrowdStrike Falcon LogScale (Next-Gen SIEM) detection for VPN credential stuffing. Part 1 groups network authentication failures by source IP and VPN gateway over a 24-hour window and alerts on high failure volumes or many targeted accounts. Part 2 identifies successful VPN connections from IPs that previously generated 10+ failures, indicating a successful credential stuffing compromise.

Data Sources

CrowdStrike Falcon Network ContainmentThird-party VPN syslog ingested via Falcon LogScale collectorFortinet FortiGate via LogScale connectorCisco ASA/FTD via syslog forwarder

Required Tables

NetworkConnectionIP4VPN_FailingIPs (LogScale lookup populated by scheduled query)

False Positives & Tuning

  • Legitimate remote workers reconnecting after office Wi-Fi drops cause repeated fast-reconnect failures before a successful session
  • VPN load balancers presenting a single destination IP that aggregates failures from many unrelated source IPs
  • Security awareness training platforms simulating phishing that also test VPN credential reuse
  • Authorised red team exercises targeting VPN gateways
  • Travelling employees repeatedly failing due to geo-blocked IP ranges or MFA prompt timeouts before eventually succeeding

Other platforms for THREAT-VPN-CredentialStuffing

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VPN Credential Stuffing Simulation via Python Requests

    Expected signal: VPN authentication logs record multiple failures (error: invalid credentials) for multiple usernames from the test IP within the 15-minute window.

Last updated: 2026-06-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for THREAT-VPN-CredentialStuffing including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0001Initial Access

Parent Technique

T1110.004Credential Stuffing

Related Techniques

T1110.004Credential StuffingT1133External Remote ServicesT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory Discovery

Same Tactic: Credential Access

Popular Detections