T1110 Brute Force Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Brute Force Detection — Multiple failed logons followed by success, or high-volume failures
// Part 1: Windows Security Event failed logons (Event ID 4625)
let FailedLogonThreshold = 10;
let TimeWindowMinutes = 10;
let BruteForceAccounts =
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4625
    | where LogonType in (3, 10) // Network and RemoteInteractive
    | summarize FailedCount = count(), 
               TargetAccounts = dcount(TargetAccount),
               TargetAccountList = make_set(TargetAccount, 20),
               FirstFailure = min(TimeGenerated),
               LastFailure = max(TimeGenerated)
      by IpAddress, Computer, bin(TimeGenerated, TimeWindowMinutes * 1m)
    | where FailedCount >= FailedLogonThreshold;
// Part 2: Enrich with successful logon after failures (compromise indicator)
let SuccessAfterFailure =
    SecurityEvent
    | where TimeGenerated > ago(24h)
    | where EventID == 4624
    | where LogonType in (3, 10)
    | project SuccessTime = TimeGenerated, IpAddress, TargetAccount, Computer;
BruteForceAccounts
| join kind=leftouter (
    SuccessAfterFailure
) on IpAddress, Computer
| extend SuccessAfterBruteForce = isnotempty(SuccessTime) and SuccessTime > LastFailure
| extend Severity = case(
    SuccessAfterBruteForce == true, "Critical",
    TargetAccounts > 5, "High",    // Password spray pattern
    FailedCount >= 50, "High",
    "Medium"
)
| project FirstFailure, LastFailure, Computer, IpAddress, FailedCount, TargetAccounts, 
          TargetAccountList, SuccessAfterBruteForce, SuccessTime, Severity
| sort by SuccessAfterBruteForce desc, FailedCount desc

high severity high confidence

Data Sources

Logon Session: Logon Session Creation Logon Session: Logon Session Metadata User Account: User Account Authentication Windows Security Event Log

Required Tables

SecurityEvent

False Positives

Misconfigured service accounts with expired or recently changed passwords generating automatic logon failures in batch
Legitimate penetration testing or red team exercises using tools like Hydra, Medusa, or CrackMapExec against authorized targets
Users who forget their password and repeatedly attempt login before resetting, particularly after travel or long absence
Load balancers or multi-hop proxies causing multiple logon attempts to appear from a single source IP
Password manager applications failing to update cached credentials after a password rotation, generating repeated failures

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR EventCode=4624)
| eval LogonType=mvindex(split(coalesce(LogonType, "0"), " "), 0)
| where LogonType IN ("3", "10")
| eval EventType=case(EventCode="4624", "Success", EventCode="4625", "Failure", true(), "Unknown")
| bin _time span=10m
| stats 
    count(eval(EventType="Failure")) as FailedCount,
    count(eval(EventType="Success")) as SuccessCount,
    dc(TargetUserName) as DistinctTargets,
    values(TargetUserName) as TargetAccounts,
    earliest(_time) as FirstAttempt,
    latest(_time) as LastAttempt
  by _time, IpAddress, ComputerName
| where FailedCount >= 10
| eval AttackPattern=case(
    DistinctTargets > 5 AND FailedCount >= 10, "Password Spray",
    DistinctTargets <= 2 AND FailedCount >= 20, "Account Brute Force",
    true(), "Brute Force")
| eval SuccessAfterFailure=if(SuccessCount > 0, "YES", "NO")
| eval RiskScore=case(
    SuccessAfterFailure="YES", 100,
    AttackPattern="Password Spray" AND FailedCount >= 50, 85,
    AttackPattern="Account Brute Force" AND FailedCount >= 100, 75,
    FailedCount >= 20, 60,
    true(), 40)
| table FirstAttempt, LastAttempt, ComputerName, IpAddress, FailedCount, SuccessCount, 
        DistinctTargets, TargetAccounts, AttackPattern, SuccessAfterFailure, RiskScore
| sort - RiskScore, - FailedCount

high severity high confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Misconfigured service accounts with expired or recently changed passwords generating automatic logon failures in batch
Legitimate penetration testing or red team exercises against authorized targets
Users who forget their password and repeatedly attempt login before resetting
Load balancers or multi-hop proxies causing multiple logon attempts to appear from a single source IP
Password manager applications failing to update cached credentials after a password rotation

Elastic Security (EQL)

eql

// Brute force with successful compromise (Critical — sequence-based)
sequence by source.ip, host.name with maxspan=10m
  [authentication where event.outcome == "failure"
   and winlog.event_data.LogonType in ("3", "10")] with runs=10
  [authentication where event.outcome == "success"
   and winlog.event_data.LogonType in ("3", "10")]

// Supplement: high-volume failures without success (High)
// sequence by source.ip with maxspan=10m
//   [authentication where event.outcome == "failure"
//    and winlog.event_data.LogonType in ("3", "10")] with runs=50

critical severity high confidence

Data Sources

Windows Security Event Log via Winlogbeat or Elastic Agent Elastic Endpoint Security authentication events

Required Tables

logs-system.security* winlogbeat-* .ds-logs-endpoint.events.process*

False Positives

Automated load testing or integration test suites performing rapid authentication cycles against staging environments where a final successful login follows deliberate failure sequences
SSO federation proxies or reverse authentication gateways that forward many end-user failures through a single egress IP, causing per-IP thresholds to be exceeded by normal aggregate activity
IT helpdesk workflows where an agent attempts multiple incorrect passwords on behalf of a user before the user provides the correct credential, generating the exact failure-then-success pattern

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCE AS Hostname,
  sourceip AS SourceIP,
  username AS TargetAccount,
  COUNT(*) AS FailedAttempts,
  UNIQUECOUNT(username) AS DistinctTargets,
  MIN(DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss')) AS FirstAttempt,
  MAX(DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss')) AS LastAttempt,
  CASE
    WHEN UNIQUECOUNT(username) > 5 AND COUNT(*) >= 10 THEN 'Password Spray'
    WHEN UNIQUECOUNT(username) <= 2 AND COUNT(*) >= 20 THEN 'Account Brute Force'
    ELSE 'Brute Force'
  END AS AttackPattern
FROM events
WHERE LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) ILIKE '%authentication failed%'
  AND LONG("LogonType") IN (3, 10)
  AND devicetime > NOW() - 86400000
GROUP BY DATEFORMAT(devicetime, '600000'), LOGSOURCE, sourceip, username
HAVING COUNT(*) >= 10
ORDER BY FailedAttempts DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) QRadar Windows Authentication Category events

Required Tables

events

False Positives

Vulnerability scanners running credentialed scans (Nessus, Qualys, Rapid7) from a dedicated scanner IP generating bursts of authentication attempts against all in-scope hosts
Backup or monitoring agents using stale service account credentials after a scheduled password rotation, generating continuous 4625 failures from infrastructure server IPs until credentials are updated
Network access control (NAC) systems or 802.1X authenticators batching re-authentication requests from multiple devices through a single source IP at policy enforcement intervals

Sumo Logic CSE

sql

_sourceCategory=*windows*security*
| where _raw matches /EventCode=(4624|4625)/
| parse "EventCode=*" as EventCode
| parse "Logon Type:\t*" as LogonType nodrop
| parse "Source Network Address:\t*" as SourceIP nodrop
| parse "Account Name:\t\t*" as TargetAccount nodrop
| parse "Workstation Name:\t*" as Workstation nodrop
| where EventCode in ("4624", "4625")
| where LogonType in ("3", "10")
| eval EventType = if(EventCode == "4625", "Failure", "Success")
| timeslice 10m
| stats
    sum(if(EventType == "Failure", 1, 0)) as FailedCount,
    sum(if(EventType == "Success", 1, 0)) as SuccessCount,
    dcount(TargetAccount) as DistinctTargets,
    values(TargetAccount) as TargetAccounts
  by _timeslice, SourceIP, Workstation
| where FailedCount >= 10
| eval AttackPattern = if(DistinctTargets > 5, "Password Spray", if(FailedCount >= 20, "Account Brute Force", "Brute Force"))
| eval SuccessAfterFailure = if(SuccessCount > 0, "YES", "NO")
| eval RiskScore = if(SuccessAfterFailure == "YES", 100, if(AttackPattern == "Password Spray" and FailedCount >= 50, 85, if(AttackPattern == "Account Brute Force" and FailedCount >= 100, 75, if(FailedCount >= 20, 60, 40))))
| sort by RiskScore, FailedCount

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Sumo Logic Cloud Syslog for Windows forwarded events

Required Tables

_sourceCategory=*windows*security*

False Positives

Application servers using Windows Integrated Authentication (NTLM/Kerberos) that cache expired session tokens after password rotation, generating a burst of 4625 events before re-authenticating successfully within the same 10-minute window
Authorized red team or penetration testing engagements where the source IP belongs to a scoped tester, indistinguishable from attacker activity without IP allowlisting
Mobile device management (MDM) platforms performing bulk certificate or credential refresh across many enrolled devices, with all traffic originating from a single management server IP

Google Chronicle / SecOps

yaral

rule t1110_brute_force_compromise {
  meta:
    author = "df00tech"
    description = "Detects brute force: 10+ failed USER_LOGIN events from same source IP within 10 minutes followed by a successful login, indicating potential account compromise"
    severity = "CRITICAL"
    mitre_tactic = "TA0006 - Credential Access"
    mitre_technique = "T1110"
    platforms = "Windows"
    false_positives = "SSO proxies, load testers, helpdesk resets"
    version = "1.0"

  events:
    $failed.metadata.event_type = "USER_LOGIN"
    $failed.security_result.action = "BLOCK"
    $failed.principal.ip = $source_ip
    $failed.target.hostname = $target_host
    $failed.principal.ip != ""
    $failed.target.hostname != ""

    $success.metadata.event_type = "USER_LOGIN"
    $success.security_result.action = "ALLOW"
    $success.principal.ip = $source_ip
    $success.target.hostname = $target_host
    $success.metadata.event_timestamp.seconds > $failed.metadata.event_timestamp.seconds

  match:
    $source_ip, $target_host over 10m

  condition:
    #failed >= 10 and #success >= 1
}

critical severity high confidence

Data Sources

Google Chronicle UDM USER_LOGIN events Chronicle ingested Windows Security Event Log (normalized to UDM)

Required Tables

USER_LOGIN UDM events

False Positives

Corporate VPN concentrators performing NAT that map many remote employees' authentication attempts to a single egress IP, causing per-IP failure counts to exceed the threshold during high-traffic periods such as Monday mornings
Automated provisioning systems using Active Directory accounts for machine enrollment that attempt Kerberos pre-authentication multiple times before domain join completes, followed by successful enrollment
Security awareness training platforms that simulate brute force as part of phishing simulations, triggering controlled failure sequences from a known training infrastructure IP before a successful test-user login

CrowdStrike LogScale (CQL)

cql

// Requires Windows endpoint authentication events via Falcon sensor or FDR
#event_simpleName = /^UserLogon(Failed)?2$/
| LogonType = /^(3|10)$/
| FailureEvent := if(#event_simpleName == "UserLogonFailed2", 1, 0)
| SuccessEvent := if(#event_simpleName == "UserLogon2", 1, 0)
| bucket(span=10m, function=[
    sum(FailureEvent, as=FailedCount),
    sum(SuccessEvent, as=SuccessCount),
    dcount(UserName, as=DistinctTargets),
    collect(UserName, limit=20, as=TargetAccounts)
  ], field=[ComputerName, RemoteAddressIP4])
| FailedCount >= 10
| AttackPattern := case(
    DistinctTargets > 5, "Password Spray",
    FailedCount >= 20, "Account Brute Force",
    default="Brute Force"
  )
| SuccessAfterFailure := if(SuccessCount > 0, "YES", "NO")
| RiskScore := case(
    SuccessAfterFailure == "YES", 100,
    AttackPattern == "Password Spray" and FailedCount >= 50, 85,
    AttackPattern == "Account Brute Force" and FailedCount >= 100, 75,
    FailedCount >= 20, 60,
    default=40
  )
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor — UserLogon2 and UserLogonFailed2 events Falcon Data Replicator (FDR) authentication event stream

Required Tables

UserLogon2 UserLogonFailed2

False Positives

Legitimate remote administration tools such as PSExec or custom WinRM automation scripts cycling through multiple authentication attempts from a single management workstation IP when executing against a host list in sequence
Domain controller Kerberos pre-authentication failures during Kerberos ticket renewal or KDC fallback scenarios where the Falcon sensor logs interim failures from internal DC IPs before successful TGT issuance
Falcon sensor coverage validation tests or tabletop exercises where the security team deliberately simulates brute force from a known test machine to verify alerting pipeline functionality

Brute Force

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Credential Access

Popular Detections