THREAT-VPN-CredentialStuffing Microsoft Sentinel · KQL

Detect VPN and Remote Access Credential Stuffing / Brute Force in Microsoft Sentinel

Credential stuffing and brute force against VPN and remote access gateways is a persistent initial access vector for ransomware operators and nation-state actors. NCSC and CISA have repeatedly warned about Fortinet, Cisco ASA/FTD, Ivanti Connect Secure, Palo Alto GlobalProtect, and SonicWall VPN gateways being targeted. Attackers use credential databases from prior breaches and automated tools to test credentials at scale against VPN login portals. Unlike password spraying against M365, VPN credential stuffing often targets a single account at high frequency (bypassing account lockout through IP rotation) or uses a large pool of breached credential pairs. Volt Typhoon (China-nexus) specifically targets small business routers and VPN gateways for SOHO Living-off-the-Land access. Compromised VPN access gives attackers direct network access, bypassing perimeter defences entirely.

MITRE ATT&CK

Tactic
Credential Access Initial Access

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// THREAT: VPN / Remote Access Credential Stuffing
// Detects brute force and credential stuffing against VPN authentication
// Sources: CommonSecurityLog (CEF from firewall/VPN appliances), Syslog

// Alert 1: High-volume authentication failures against VPN
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceVendor has_any ("Fortinet", "Cisco", "Palo Alto", "SonicWall", "Pulse Secure", "Ivanti", "Juniper")
| where Activity has_any ("vpn", "ipsec", "ssl-vpn", "remote-access", "authentication")
| where Message has_any ("failed", "failure", "invalid", "rejected", "denied")
    or LogSeverity >= 5
| summarize
    FailureCount=count(),
    UniqueUsers=dcount(DestinationUserName),
    TargetUsers=make_set(DestinationUserName),
    UniqueSourceIPs=dcount(SourceIP),
    SourceIPs=make_set(SourceIP)
  by DeviceAddress, DeviceVendor, bin(TimeGenerated, 15m)
| where FailureCount >= 20 or UniqueUsers >= 5
| extend ThreatType = "VPN_CredentialStuffing"
| extend Severity = iff(FailureCount >= 100, "Critical", iff(FailureCount >= 50, "High", "Medium"))
| sort by FailureCount desc;
// Alert 2: Successful VPN connection from previously-failing IP
let VPNFailingIPs = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where Activity has_any ("vpn", "ssl-vpn", "remote-access")
| where Message has_any ("failed", "failure", "invalid", "rejected")
| summarize Failures=count() by SourceIP
| where Failures >= 10
| distinct SourceIP;
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where Activity has_any ("vpn", "ssl-vpn", "remote-access")
| where Message has_any ("success", "established", "connected", "authenticated")
| where SourceIP in (VPNFailingIPs)
| project TimeGenerated, SourceIP, DestinationUserName, DeviceVendor,
    DeviceAddress, Activity, Message
| extend ThreatType = "VPN_SuccessAfterCredentialStuffing"
| extend Severity = "Critical"
high severity high confidence

Two-stage VPN credential stuffing detection: (1) high-volume authentication failures from single or multiple sources against VPN gateway — the stuffing pattern; (2) successful VPN authentication from an IP that previously failed 10+ times — the compromise indicator. Alert 2 should trigger immediate investigation as it indicates a successful account takeover via credential stuffing.

Data Sources

CommonSecurityLog (CEF from VPN appliances)Syslog (VPN appliance native logging)Azure Sentinel built-in connectors for Fortinet, Palo Alto, Cisco

Required Tables

CommonSecurityLogSyslog

False Positives & Tuning

  • Legitimate users with incorrect VPN credentials due to recent password change (brief surge then success with new credentials)
  • Misconfigured VPN clients that retry with old credentials on every connection attempt
  • Automated backup or monitoring systems with outdated credentials attempting VPN authentication
  • Multiple users behind a shared corporate NAT connecting to VPN simultaneously (same source IP, multiple users)
Download portable Sigma rule (.yml)

Other platforms for THREAT-VPN-CredentialStuffing

Splunk (SPL) Elastic Security (Elastic) All platforms (combined) →

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VPN Credential Stuffing Simulation via Python Requests

    Expected signal: VPN authentication logs record multiple failures (error: invalid credentials) for multiple usernames from the test IP within the 15-minute window.

Last updated: 2026-04-22 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for THREAT-VPN-CredentialStuffing including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1110.004Credential Stuffing

Related Techniques

T1110.004Credential StuffingT1133External Remote ServicesT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1083File and Directory Discovery

Same Tactic: Credential Access

Popular Detections