title: Credential Stuffing (T1110.004)
id: df00tech-t1110-004
status: experimental
description: "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Unlike password spraying (T1110.003), which tests one password against many accounts, credential stuffing uses known username-password pairs harvested from prior data breaches — exploiting users who reuse passwords across personal and business accounts. Targeted services commonly include SSH (22/TCP), RDP (3389/TCP), SMB (445/TCP), LDAP (389/TCP), HTTP management portals, VPN gateways, and cloud identity providers such as Azure AD, Okta, and federated SSO endpoints. Real-world threat actors including Chimera and TrickBot (rdpscanDll module) have used credential stuffing at scale against enterprise remote services."
references:
  - https://attack.mitre.org/techniques/T1110/004/
  - https://df00tech.com/detections/T1110.004
author: df00tech
date: 2026/04/17
tags:
  - attack.t1110.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Misconfigured service accounts with expired or incorrect credentials repeatedly attempting authentication against multiple systems simultaneously — will appear as high-volume failures from a single host IP
  - "Azure AD Connect or third-party directory sync tools (Okta, OneLogin) generating batched authentication failures during sync interruptions or object mismatches"
  - "Authenticated security scanners (Nessus, Qualys, Rapid7) running credential-based assessments from a dedicated scan IP against multiple systems"
  - "Load balancers, NAT gateways, or reverse proxies that masquerade multiple users behind a single egress IP, making unrelated individual user failures aggregate as a single-IP attack"
  - Helpdesk or IT staff testing account lockout/reset workflows by deliberately triggering failures across multiple test accounts from their workstation
level: high