Insider Threat Credential Selling: A Detection Program for SOC Teams

An insider threat credential selling detection program is no longer an optional investment — the Cifas Workplace Fraud Trends 2026 report found that 13% of employees either sold their corporate login credentials in the past 12 months or personally knew a colleague who had. That translates to roughly one person on every eight-person team with direct knowledge of active credential markets. Traditional perimeter controls cannot see this threat: it walks in through the front door using valid credentials, leaves no malware signature, and triggers nothing in a rule-based detection stack that assumes adversaries are external. This guide gives security managers and SOC teams the concrete detection controls — from UEBA (User and Entity Behavior Analytics) baselines to DLP (Data Loss Prevention) rules to a hardened offboarding checklist — to close that gap.

// 01 The Scale of Insider Credential Selling

The Cifas survey polled 2,000 employees across UK companies with 1,000 or more staff. The headline figure — 13% overall — understates the real risk once you filter by seniority:

| Role | % Viewing Credential Selling as Justifiable | |——|———————————————-| | General employees | 13% | | Senior managers | 32% | | Directors | 36% | | C-suite executives | 43% | | Business owners | 81% |

That escalation pattern means your highest-privilege accounts are held by people who are most likely to view monetising access as acceptable behaviour. The Cifas Insider Threat Database (ITD) — a shared intelligence database maintained by UK fraud prevention organisations — recorded 288 subject filings in 2025, a 21% year-on-year increase, with "dishonest action by staff to obtain a benefit by theft or deception" as the largest single category.

The financial toll compounds the urgency. Ponemon's 2025 Cost of Insider Risk report puts the average annualised cost of insider-risk incidents at $19.5 million per organisation, with malicious insider incidents accounting for 27% of total losses — approximately $4.7 million per year. A separate credential-exposure analysis cited by Infosecurity Magazine found 460,000 compromised employee credentials circulating on cybercrime sites traced back to FTSE 100 companies, with an average of 280 compromised credentials per company sourced from infostealer logs. Globally, 347 million compromised credentials were identified across 3.9 million compromised machines in 2025.

// 02 Why Traditional Security Controls Miss Credential-Selling Insiders

The core challenge is that credential-selling insiders exploit MITRE ATT&CK T1078 (Valid Accounts) — the technique that abuses legitimate, pre-authorised credentials. No malware drops. No exploit fires. No YARA rule matches a file hash. The adversary is already authenticated before your SOC sees a single event. In penetration testing benchmarks, T1078 succeeds in 98% of tested environments precisely because it requires no vulnerability.

Compounding the problem, insiders often extract credentials using methods that look like routine operations performed by legitimate tools:

• Credential Manager access: Windows Credential Manager and browser-stored passwords are accessible to the authenticated user — no privilege escalation required.
• Active Directory enumeration: Tools like BloodHound or standard PowerShell AD cmdlets can harvest service account credentials and Kerberoastable SPNs (Service Principal Names — AD objects whose associated service account passwords can be cracked offline) without generating Security Event Log alerts by default.
• Screenshot or clipboard harvesting: A user photographing a password manager screen or copying credentials to an external messaging app (Signal, Telegram, WhatsApp) leaves no DLP alert unless your policy explicitly covers messaging applications and removable media.
• NTDS.dit exfiltration: The NTDS.dit file is Active Directory's primary credential database containing all domain account password hashes. A domain administrator who exports a Volume Shadow Copy (VSS — a Windows snapshot mechanism) and exfiltrates it has the keys to the entire domain. Windows Event ID 4699 (VSS shadow copy deletion) and Sysmon Event ID 8 (CreateRemoteThread) are the only reliable indicators — and most organisations are not logging either.

MITRE ATT&CK T1552 (Unsecured Credentials) covers the discovery phase — finding where credentials are stored. T1078 covers the monetisation phase — abusing them. Both must be in scope for an effective insider threat credential selling detection program.

// 03 UEBA Behavioral Baselines: The Core Detection Engine

UEBA shifts the detection model from "does this match a known-bad signature?" to "is this normal for this specific user?" That distinction is decisive for insider threat detection, where the adversary's credentials are by definition legitimate.

A UEBA engine — whether deployed as part of Microsoft Sentinel, Splunk Enterprise Security, Securonix (the 2026 SC Award winner for Best Insider Threat Solution), or a standalone product — builds an individualised behavioral baseline over a 60–90 day rolling window for each user account and entity. Deviations from that baseline generate risk scores rather than binary alerts, reducing the false-positive noise that causes analyst fatigue.

According to the 2026 Insider Threat Report, 78% of insider-style incidents now involve cloud and SaaS resources, making cross-platform behavioural monitoring — not just on-premises Windows event logs — essential.

Key Behavioral Indicators for Credential-Selling Insiders

| Indicator | What It Looks Like | Risk Weight | |—|—|—| | After-hours authentication | Logons to sensitive systems between 22:00–06:00 outside travel dates | High | | File access volume spike | User who normally reads 50 files/day suddenly reads 2,000+ | High | | Credential store access | First-ever access to Windows Credential Manager, HashiCorp Vault, or CyberArk | Critical | | Lateral movement to unrelated systems | Authentication to servers in business units the user has no role in | High | | Data staging before logoff | Large compressed archive created, then deleted, shortly before the user exits the building | Critical | | VPN + AD enumeration combo | VPN logon from personal device immediately followed by ldapsearch or BloodHound queries | High | | LSASS process access | Any process reading or injecting into LSASS memory (Windows Event ID 4656 on lsass.exe) | Critical |

Splunk SPL — after-hours credential store access:

index=wineventlog sourcetype="WinEventLog:Security"
EventCode=4663 Object_Name="*Credential Manager*"
| eval hour=strftime(_time, "%H")
| where hour >= 22 OR hour <= 6
| stats count by Account_Name, Computer, hour
| where count > 0
| sort -count

Microsoft Sentinel KQL — anomalous authentication volume spike (3-sigma deviation from 90-day baseline):

let baseline =
    SigninLogs
    | where TimeGenerated between (ago(90d) .. ago(1d))
    | summarize avg_logons = avg(todouble(count())),
               stddev_logons = stdev(todouble(count()))
        by UserPrincipalName, bin(TimeGenerated, 1d);
SigninLogs
| where TimeGenerated >= ago(1d)
| summarize today_logons = count() by UserPrincipalName
| join kind=inner baseline on UserPrincipalName
| where today_logons > (avg_logons + 3 * stddev_logons)
| project UserPrincipalName, today_logons, avg_logons
| order by today_logons desc

// 04 Insider Threat Credential Selling Detection Program: Step-by-Step Checklist

Use this checklist to build or audit your detection program against the credential-selling threat model specifically.

Phase 1: Visibility and Logging

• Enable Windows Security Event IDs across all domain-joined endpoints:
• 4624 — Successful logon: required for baseline authentication analysis
• 4648 — Logon using explicit credentials (runas or credential relay): high-value insider indicator
• 4663 — Object access audit: essential for LSASS, NTDS.dit, and Credential Manager access monitoring
• 4688 — Process creation with full command line: detects credential-dumping tools (mimikatz.exe, lsassy, pypykatz)
• 4720 / 4726 — User account created / deleted: detect rogue accounts an insider may create for a buyer to use after departure

• Deploy Sysmon with at minimum the SwiftOnSecurity baseline configuration. Sysmon Event ID 10 (ProcessAccess targeting lsass.exe) is non-negotiable for credential-dumping detection and is not available in native Windows event logs.

• Enable Azure AD / Entra ID sign-in logs with a minimum 90-day retention period. These logs are the foundation for UEBA baselines on cloud-connected accounts.

• Forward all logs to SIEM within 5 minutes maximum — stale telemetry invalidates insider investigations where timing is legally significant.

Phase 2: UEBA Behavioral Baselines

• Run your UEBA engine in observation mode for 60–90 days before enabling automated responses. Alerts on incomplete baselines generate excessive noise that trains analysts to dismiss insider alerts.

• Define peer groups for baseline scoping: compare a finance analyst against other finance analysts, not against the entire organisation. Deviations are only meaningful relative to the correct peer population.

• Establish per-business-unit after-hours authentication thresholds. A 24×7 NOC (Network Operations Center) engineer legitimately authenticates at 03:00 — a payroll administrator doing the same warrants investigation.

Phase 3: Detection Rules

• Deploy UEBA risk-scoring rules for: data staging (large file aggregation + compression + deletion in sequence), first-ever credential store access, and authentication to systems outside the user's role-based access baseline.

• Configure DLP policies targeting credential-like patterns in email, corporate chat (Teams, Slack), and removable media channels. See the DLP section below for specific rule configurations.

• Create a PAM (Privileged Access Management) alert that fires on: service account credential retrieval by a human account, vault access by accounts that have not retrieved credentials in the prior 30 days, and any credential checkout followed within 60 seconds by a privilege escalation — a pattern matching MITRE ATT&CK T1078.003 (Valid Accounts: Local Accounts).

• Deploy a canary credential — a fake account with a realistic naming convention and no actual system access. Any authentication attempt against the canary account from a legitimate employee account is a near-certain insider indicator with near-zero false-positive rate.

Phase 4: Investigation Workflow

• Route insider threat alerts to a separate SOC queue from external threat alerts. The investigation workflow differs: it requires HR involvement, legal hold procedures, and chain-of-custody requirements that do not apply to external intrusions.

• Define escalation triggers: any single Critical-weight indicator, or three or more High-weight indicators within 24 hours for the same user, triggers a formal insider investigation.

• Preserve forensic evidence before revoking access. Immediate lockout without a forensic image may destroy volatile evidence — memory contents, open network connections, clipboard data — required for prosecution or disciplinary proceedings.

// 05 DLP Rules for Insider Credential Exfiltration

DLP tools inspect data in motion and at rest. For credential-selling detection, configure rules targeting the output channels an insider would use to hand off credentials to a buyer.

Email Channel — Microsoft Purview / Office 365 DLP

Create a sensitive information type (SIT — a pattern-matching policy rule) targeting:

• Strings matching common credential patterns: [Pp]asswords[:=]sS+
• Lines containing username, password, and domain within 200 characters of each other
• CSV or TXT attachments matching user,pass or login,secret column headers
• .kdbx files (KeePass password database format) sent as email attachments

Sentinel KQL — surface DLP hits on credential-pattern emails:

SecurityAlert
| where TimeGenerated >= ago(7d)
| where AlertName contains "DLP"
| where ExtendedProperties contains "password"
    or ExtendedProperties contains "credential"
| project TimeGenerated,
    UserPrincipalName = tostring(parse_json(Entities)[0].UserPrincipalName),
    AlertName, Severity
| order by TimeGenerated desc

Endpoint DLP — File Copy and USB Monitoring

• Block or alert on .kdbx, .1pif (1Password export), and .lastpass vault export files copied to removable media or personal cloud storage.
• Alert on file copies from %APPDATA%MicrosoftCredentials, %LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data (Chrome's credential store — a SQLite database), and %APPDATA%MozillaFirefoxProfiles (Firefox credential storage).
• Audit access to NTDS.dit via Windows Event ID 4663 on %SystemRoot%NTDSntds.dit.

Splunk SPL — NTDS.dit access attempt:

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4663
| search Object_Name="*ntds.dit*"
| table _time, Account_Name, Computer, Process_Name, Object_Name, Accesses
| sort -_time

Cloud and SaaS Exfiltration Monitoring

• Audit Microsoft OneDrive / SharePoint bulk downloads via Graph API audit logs: FileDownloaded events exceeding 500 in a single hour by one user.
• Alert on OAuth applications granted offline_access or Mail.Read scopes by a user account — a sign an insider may be piping mailbox contents to an external inbox for persistent access.
• Detect third-party cloud storage sync clients (Dropbox, Google Drive) connecting on managed endpoints; enforce block via Conditional Access policies and audit connection attempts.

// 06 Privileged Access Monitoring and PAM Controls

PAM solutions — CyberArk, BeyondTrust, and Delinea (formerly Thycotic) are the three dominant enterprise platforms — enforce just-in-time (JIT) access, a model in which privileged credentials are checked out for a defined session window and automatically rotated afterward. For credential-selling prevention, JIT access directly closes the window: an insider cannot sell a credential they never possessed long-term.

Key PAM controls that directly address the credential-selling threat model:

• Session recording: Full keylogging and screen recording for all privileged sessions. Recorded sessions may be inadmissible in some jurisdictions unless the acceptable-use policy explicitly notifies employees. Verify with legal counsel before deployment.
• Credential vaulting with automatic rotation: Service account passwords rotated every 24 hours. An insider who sells a credential that expires within hours has a degraded product with limited resale value.
• Dual-control access: Sensitive administrative accounts — domain admin, cloud root, database SA (System Administrator) accounts — require approval from a second authorised party before checkout. This creates a witness and an audit trail for every high-value credential access.
• Access certification reviews: Monthly automated reviews of privileged account membership; accounts must be deprovisioned within 24 hours of a role change.

// 07 Offboarding Security Checklist: Close the Window Before the Sale

Resigning and terminated employees represent the highest-risk period for credential-selling. An employee who has already accepted payment from a threat actor must exfiltrate access before their account is revoked. The Cifas ITD data shows the majority of malicious insider actions occur in the final days or hours of employment — not months earlier.

• Initiate access revocation within 1 hour of HR notification, not at end-of-day. Every hour of delay is a window.
• Revoke in this specific order to prevent race conditions:
• (a) MFA (Multi-Factor Authentication) tokens and FIDO hardware keys
• (b) SSO (Single Sign-On) session tokens — force re-authentication across all Identity Providers
• (c) Active Directory account disable
• (d) Cloud IAM (Identity and Access Management) account deactivation
• (e) Audit and delete all email forwarding rules set by the account
• Run a forensic image of the departing employee's endpoint before wiping. Retention period depends on risk tier and applicable data protection regulations.
• Pull the UEBA risk score history for the 90 days prior to the departure notice. Risk spikes in the two to four weeks before resignation are a reliable signal of exfiltration preparation — employees who intend to sell access typically begin staging data before handing in their notice.
• Audit OAuth authorisations recently granted by the user's account. Specifically: any third-party applications with persistent offline_access, Mail.Read, or Files.ReadWrite scopes should be revoked and investigated.
• For privileged employees — domain admins, cloud infrastructure owners, database SA accounts — rotate all passwords they had legitimate access to within 2 hours of departure, regardless of whether there is any indication of wrongdoing. This is a non-negotiable hygiene step.
• Search for service accounts, backdoor local accounts, or API tokens the employee may have created under a non-obvious name during their tenure. Query AD for accounts created by the departing user's account in the last 180 days.
• Archive all corporate communications — email, Teams messages, Slack logs — under legal hold for employees in sensitive roles. Insider cases frequently hinge on message metadata that establishes intent.

// 08 Impact: What a Credential-Selling Insider Enables for Buyers

Understanding the downstream attack chain gives the detection program its operational context and helps security managers justify the budget.

A credential buyer on a dark web forum or encrypted Telegram channel gains, depending on what was sold:

• Domain user credentials: Initial foothold for internal recon and email-based BEC (Business Email Compromise — fraud conducted using a trusted internal email address to authorise fraudulent payments). Average dark web market price: $10–$200 per set.
• VPN or SSO credentials: Direct internal network access that bypasses perimeter controls entirely. Buyers at this tier are typically ransomware affiliates looking for a clean entry point without a phishing detection risk. Price range: $500–$5,000.
• Domain admin credentials: Full domain compromise. Ransomware deployment, AD replication, and Golden Ticket attacks (a Kerberos attack technique that forges authentication tokens valid for any resource in the domain for the lifetime of the KRBTGT account — potentially years). Price range: $5,000–$50,000+.
• Cloud root or service account credentials: Access to cloud infrastructure, CI/CD pipelines (Continuous Integration / Continuous Delivery — automated software build and deployment systems), and secrets managers. Enables supply-chain attack positioning. Price range: commensurate with the target organisation's cloud spend.

The threat actor groups analysed in Mandiant's 2026 credential-theft evolution research increasingly treat purchased insider credentials as a preferred initial access vector over phishing precisely because the credential is pre-validated and carries no phishing infrastructure detection risk.

// 09 Conclusion

The Cifas data makes the threat model concrete: one in eight employees either has sold credentials or is one conversation away from someone who has, and that proportion triples for your most privileged accounts. An insider threat credential selling detection program built on UEBA behavioral baselines, targeted DLP rules, PAM session controls, and a hardened offboarding workflow gives your SOC the visibility to catch this before a buyer weaponises the access.

Start with logging coverage — every detection rule in this guide is worthless without the telemetry behind it. Enable the Windows Event IDs listed in Phase 1, deploy Sysmon Event ID 10, and confirm your SIEM receives sign-in logs with 90-day retention. Then layer in UEBA baselines and DLP policies. The program does not need to be perfect on day one; it needs to be measurably better than the zero controls most organisations currently point at this specific threat.

See our guide on adversary-in-the-middle phishing and MFA bypass detection for the detection controls that cover the buyer's next step after purchasing valid credentials — and our analysis of the PAMDoora Linux PAM backdoor for an attacker's perspective on what happens after insider-sourced SSH credentials reach a threat actor.