Weaponized Defense: Spotting Potentially Stolen Credentials

A rapid visual + behavioral triage to catch credential abuse before deep-dive forensics.

Scenario

A partner gets popped. Their breach means your users might be exposed. Assume multiple corporate emails + weakly protected external accounts now at risk. Conduct a 60‑second spot check for early compromise indicators.

Minimum Log Fields (Internet‑facing Auth)

Result: Success / Failure
Username
Source IP (public, not post-NAT internal)
User Agent (raw)
Optional: X‑Forwarded‑For preserved
Ability to filter authenticated vs unauthenticated traffic

Pre‑Filtering Suggestions

Remove / exclude:

Non‑200 HTTP responses
Failed authentications (for post‑auth anomaly focus)
Internal source ranges

Tools

Graylog (GeoIP lookup enabled)
Exchange (IIS logging with X‑Forwarded‑For if applicable)
Your attackers (providing free telemetry)

Step 1: Geo Heatmap

Plot successful auths. An outlier (e.g. sudden Los Angeles activity for a Toronto‑only user) is immediate triage fuel.

Step 2: Raw User Agent Long‑Tail

Don’t parse prematurely. Raw, messy user agent strings highlight anomalies-one odd browser / OS combo among a stable baseline pops visually.

Example suspicious UA (Windows box for a die‑hard macOS user):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...

Step 3: Volume / Temporal Oddities

High‑frequency folder enumeration at 04:00 local time? Likely scripted harvesting vs normal usage.

Supplemental Heuristics

Impossible travel (geo + timestamp)
Sudden shift in client platform (iOS → Windows → Android)
Abnormal feature access sequence

Pipeline Rule Ideas

Add classification booleans at ingestion for easier querying later:

External:     True / False
Authenticated:Yes / No
Browsing:     True / False   # False = POST, 3xx, 4xx, 5xx, etc.

Example Improvement: Enrich Timestamp from Alt Field

If a custom date field appears (rt style anomalies), parse and replace:

rule "Normalize Alt Timestamp"
when has_field("rt") AND has_field("timestamp")
then
  let new_date = parse_date(value: to_string($message.rt), pattern: "MMM dd yyyy HH:mm:ss 'GMT'Z");
  set_field("timestamp", new_date);
  remove_field("rt");
end

Why This Works

Credential abuse often starts noisy (geographic + platform drift) before the attacker settles. Early pattern disruption viewing (geo + UA + time) catches misuse before lateral movement.

Closing

You deployed logging to answer these questions quickly-use it. Build dashboards + alerts for outlier geos, UA shifts, and velocity anomalies. When things are quiet, celebrate your firewall team for boring logs.

Keep iterating, keep hunting.

Tags: graylog · incident response · logging · windows