Esc
Credential Stuffing - T1110.004
(ATT&CK® Technique)
Definition
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1110004["Credential Stuffing"] --> |modifies| AuthenticationLog["Authentication Log"]; class T1110004 OffensiveTechniqueNode;
class AuthenticationLog ArtifactNode; click AuthenticationLog href "/dao/artifact/d3f:AuthenticationLog";
click T1110004 href "/offensive-technique/attack/T1110.004/"; click AuthenticationLog href "/dao/artifact/d3f:AuthenticationLog"; T1110004["Credential Stuffing"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1110004 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1110004 href "/offensive-technique/attack/T1110.004/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1110004["Credential Stuffing"] --> |produces| Authentication["Authentication"]; class T1110004 OffensiveTechniqueNode;
class Authentication ArtifactNode; click Authentication href "/dao/artifact/d3f:Authentication";
click T1110004 href "/offensive-technique/attack/T1110.004/"; click Authentication href "/dao/artifact/d3f:Authentication"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1110004["Credential Stuffing"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; AuthenticationEventThresholding["Authentication Event Thresholding"] -->
| analyzes | Authentication["Authentication"];
AuthenticationEventThresholding["Authentication Event Thresholding"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class AuthenticationEventThresholding DefensiveTechniqueNode;
class Authentication ArtifactNode;
click AuthenticationEventThresholding href "/technique/d3f:AuthenticationEventThresholding"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -->
| analyzes | Authentication["Authentication"];
ResourceAccessPatternAnalysis["Resource Access Pattern Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class ResourceAccessPatternAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click ResourceAccessPatternAnalysis href "/technique/d3f:ResourceAccessPatternAnalysis"; SessionDurationAnalysis["Session Duration Analysis"] -->
| analyzes | Authentication["Authentication"];
SessionDurationAnalysis["Session Duration Analysis"] -.->
| May Detect | T1110004["Credential Stuffing"] ;
class SessionDurationAnalysis DefensiveTechniqueNode;
class Authentication ArtifactNode;
click SessionDurationAnalysis href "/technique/d3f:SessionDurationAnalysis";