MalChain Detections GitHub
EXP-02 Expansion · Lateral Movement KQL No YARA

Credential Reuse & Relay

Credential Reuse & Relay refers to the use of previously obtained authentication material to access additional systems or services within a target environment without directly exposing the original credentials..

Mappings

CVE examples
Not vulnerability-based — this capability is behavioural.
MalwareBazaar

Summary

Credential Reuse & Relay refers to the use of previously obtained authentication material to access additional systems or services within a target environment without directly exposing the original credentials. This includes reusing valid passwords, session tokens, or authentication responses to authenticate across multiple systems. Within MalChain, this capability begins once attacker-controlled activity leverages existing credentials to establish authenticated access beyond the initial system. Attackers exploit implicit trust in identity verification systems and authentication workflows to move laterally while appearing as legitimate users. Routine reliance on shared credentials and persistent authentication sessions often allows repeated access attempts to occur without immediate detection. Trust abuse may involve reusing cached credentials, relaying authentication requests between systems, or leveraging stored session tokens presented as legitimate user activity. Common movement methods include:

  • Reusing valid credentials across multiple systems
  • Relaying authentication requests between hosts
  • Leveraging cached or stored credentials for access
  • Using active user sessions to authenticate to remote services
  • Replaying authentication tokens or responses

Real world usage includes:

  • Enterprise intrusion campaigns expanding access using compromised accounts
  • Ransomware operators leveraging stolen credentials to spread across networks
  • Insider threat scenarios involving unauthorized credential sharing
  • Persistent threats maintaining access through repeated authentication

Detection Guidance

Detection relies on monitoring authentication patterns, session activity, and system access behavior associated with credential usage. Contextual correlation between login events and system activity is essential to reduce false positives.

  • Monitor authentication attempts across multiple systems
  • Detect repeated login activity using the same credentials
  • Correlate session usage with unexpected network access
  • Alert on authentication requests originating from unusual locations
  • Identify rare or unauthorized credential usage patterns

KQL Detection Concepts

  • Authentication events involving the same credentials across multiple hosts
  • Session activity occurring outside normal operational patterns
  • Repeated login attempts within short time intervals

YARA Detection Concepts

  • Scripts or binaries interacting with authentication mechanisms
  • Code patterns automating credential usage or relay operations
  • Executable components designed to capture or reuse authentication data

KQL Detection Rule

kql
// Credential Reuse & Relay: same account authenticating to many hosts quickly
DeviceLogonEvents
| where Timestamp > ago(1d)
| where ActionType == "LogonSuccess" and LogonType in ("Network","RemoteInteractive")
| summarize Hosts=dcount(DeviceName), HostSet=make_set(DeviceName,20) by AccountName, bin(Timestamp, 15m)
| where Hosts >= 5
| project Timestamp, AccountName, Hosts, HostSet

YARA Detection Rule

YARA is not meaningfully applicable to this primarily behavioral / network-telemetry capability. Rely on the KQL rule above plus network and identity detections.

Mitigation

  • Enforce strong authentication and credential management policies
  • Implement multi-factor authentication for system access
  • Monitor credential usage and session behavior continuously
  • Restrict credential sharing and enforce least-privilege access

Incident Response

  • Identify compromised credentials and affected systems
  • Reset passwords and revoke active sessions
  • Review authentication logs and access history
  • Monitor for continued unauthorized credential usage

Chain Linking