title: Credentials (T1589.001)
id: df00tech-t1589-001
status: experimental
description: "Adversaries may gather credentials that can be used during targeting. Account credentials may be obtained via phishing for information, breach data dumps, dark web marketplaces (Russian Market, 2easy), infostealer malware logs distributed via Telegram channels, or by compromising websites to harvest authentication cookies. Gathered credentials enable credential stuffing attacks, account takeover via valid account abuse (T1078), and initial access via external remote services (T1133). Real-world actors including APT28, Magic Hound, LAPSUS$, Leviathan, and Chimera have leveraged previously gathered credentials to validate access across dozens to hundreds of organizational and third-party platforms."
references:
  - https://attack.mitre.org/techniques/T1589/001/
  - https://df00tech.com/detections/T1589.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1589.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Misconfigured applications using stale or rotated credentials — the app retries authentication against multiple user endpoints generating mass failures from a single service IP
  - Large corporate NAT gateway or shared egress IP — multiple users failing authentication over a short window may be attributed to the same external IP and exceed thresholds
  - Automated integration testing or load testing pipelines that enumerate user accounts against authentication endpoints as part of CI/CD validation
  - Password synchronization tools during bulk password resets — Active Directory federation services may produce burst authentication failures across many accounts
  - "Legacy email clients or mobile apps that aggressively retry authentication after password changes, generating multi-account failures when service accounts share an IP"
level: high