T1110.001 Password Guessing Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1110.001 - Password Guessing Detection
// Detect high-volume authentication failures indicative of password guessing
let TimeWindow = 10m;
let FailureThreshold = 10;
let AccountLockoutThreshold = 5;
// --- Windows Security Event Logon Failures (Event ID 4625) ---
let WindowsLogonFailures =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4625
| where AccountType == "User"
| extend TargetAccount = tolower(TargetUserName)
| extend SourceIP = IpAddress
| where TargetAccount !in~ ("anonymous logon", "-", "")
| where SourceIP !in ("127.0.0.1", "::1", "-", "")
| summarize
    FailureCount = count(),
    DistinctAccounts = dcount(TargetAccount),
    Accounts = make_set(TargetAccount, 20),
    LogonTypes = make_set(LogonType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, Computer, bin(TimeGenerated, TimeWindow)
| where FailureCount >= FailureThreshold
| extend DetectionType = "Windows Logon Failure Burst"
| extend Severity = case(
    FailureCount >= 50, "High",
    FailureCount >= 20, "Medium",
    "Low"
  );
// --- Kerberos Pre-Auth Failures (Event ID 4771) ---
let KerberosFailures =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4771
| extend TargetAccount = tolower(TargetUserName)
| extend SourceIP = IpAddress
| where TargetAccount !in~ ("-", "")
| summarize
    FailureCount = count(),
    DistinctAccounts = dcount(TargetAccount),
    Accounts = make_set(TargetAccount, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, Computer, bin(TimeGenerated, TimeWindow)
| where FailureCount >= FailureThreshold
| extend DetectionType = "Kerberos Pre-Auth Failure Burst"
| extend LogonTypes = dynamic([])
| extend Severity = case(
    FailureCount >= 50, "High",
    FailureCount >= 20, "Medium",
    "Low"
  );
// --- NTLM Authentication Failures (Event ID 4776) ---
let NTLMFailures =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4776
| where Status != "0x0"
| extend TargetAccount = tolower(TargetUserName)
| extend SourceIP = SourceWorkstation
| where TargetAccount !in~ ("-", "")
| summarize
    FailureCount = count(),
    DistinctAccounts = dcount(TargetAccount),
    Accounts = make_set(TargetAccount, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, Computer, bin(TimeGenerated, TimeWindow)
| where FailureCount >= FailureThreshold
| extend DetectionType = "NTLM Auth Failure Burst"
| extend LogonTypes = dynamic([])
| extend Severity = case(
    FailureCount >= 50, "High",
    FailureCount >= 20, "Medium",
    "Low"
  );
// --- Union all detection types ---
union WindowsLogonFailures, KerberosFailures, NTLMFailures
| project
    TimeGenerated = FirstSeen,
    LastSeen,
    Computer,
    SourceIP,
    DetectionType,
    FailureCount,
    DistinctAccounts,
    Accounts,
    LogonTypes,
    Severity
| sort by FailureCount desc

medium severity high confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log Active Directory: Active Directory Credential Request

Required Tables

SecurityEvent

False Positives

Misconfigured service accounts with expired or incorrect passwords generating repeated authentication failures against domain controllers
Vulnerability scanners or penetration testing tools (Nessus, Qualys, Rapid7) performing authenticated scans that fail due to incorrect test credentials
End users who have forgotten their passwords attempting to log in multiple times before calling the help desk
Automated IT processes or scripts using hardcoded credentials that have not been updated after a password rotation

Splunk

spl

index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security")
  (EventCode=4625 OR EventCode=4771 OR EventCode=4776)
| eval TargetAccount=case(
    EventCode=4625, lower(mvindex('TargetUserName', 0)),
    EventCode=4771, lower(mvindex('TargetUserName', 0)),
    EventCode=4776, lower(mvindex('TargetUserName', 0)),
    true(), "unknown"
  )
| eval SourceIP=case(
    EventCode=4625, coalesce(IpAddress, src_ip),
    EventCode=4771, coalesce(IpAddress, src_ip),
    EventCode=4776, coalesce(SourceWorkstation, src_ip),
    true(), "unknown"
  )
| eval DetectionType=case(
    EventCode=4625, "Windows Logon Failure",
    EventCode=4771, "Kerberos Pre-Auth Failure",
    EventCode=4776, "NTLM Auth Failure",
    true(), "Unknown"
  )
| where TargetAccount!="" AND TargetAccount!="-" AND TargetAccount!="anonymous logon"
| where SourceIP!="" AND SourceIP!="-" AND SourceIP!="127.0.0.1" AND SourceIP!="::1"
| bucket _time span=10m
| stats
    count as FailureCount,
    dc(TargetAccount) as DistinctAccounts,
    values(TargetAccount) as Accounts,
    values(DetectionType) as DetectionTypes,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by _time, host, SourceIP
| where FailureCount >= 10
| eval Severity=case(
    FailureCount >= 50, "High",
    FailureCount >= 20, "Medium",
    true(), "Low"
  )
| eval AttackPattern=if(DistinctAccounts > 3, "Password Spray Likely", "Password Guessing")
| table FirstSeen, LastSeen, host, SourceIP, FailureCount, DistinctAccounts, Accounts, DetectionTypes, Severity, AttackPattern
| sort - FailureCount

medium severity high confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Windows Security Event Log

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Security

False Positives

Misconfigured service accounts with expired or incorrect passwords generating repeated authentication failures against domain controllers
Vulnerability scanners or penetration testing tools (Nessus, Qualys, Rapid7) performing authenticated scans that fail due to incorrect test credentials
End users who have forgotten their passwords attempting to log in multiple times before calling the help desk
Automated IT processes or scripts using hardcoded credentials that have not been updated after a password rotation

Elastic Security (EQL)

eql

sequence by host.name, source.ip with maxspan=10m
  [authentication where event.outcome == "failure"
   and event.code in ("4625", "4771", "4776")
   and user.name != null
   and user.name != ""
   and user.name != "-"
   and source.ip != null
   and source.ip != "127.0.0.1"
   and source.ip != "::1"] with runs=10

medium severity high confidence

Data Sources

Windows Security Event Log via Elastic Agent (system integration) Winlogbeat Elastic Endpoint Security

Required Tables

logs-system.security-* winlogbeat-* .ds-logs-system.security-*

False Positives

Automated service accounts with recently rotated or misconfigured credentials generating repeated authentication failures during scheduled task execution
IT administrators running authorized vulnerability scanners or password audit tools (e.g., Nessus credential checks) that produce high-volume logon failures
Users locked out of accounts who repeatedly attempt login with incorrect passwords from a single workstation or jump host

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  COUNT(*) AS FailureCount,
  UNIQUECOUNT(username) AS DistinctAccounts,
  ARRAY(username) AS Accounts,
  CASE
    WHEN COUNT(*) >= 50 THEN 'High'
    WHEN COUNT(*) >= 20 THEN 'Medium'
    ELSE 'Low'
  END AS Severity,
  CASE
    WHEN UNIQUECOUNT(username) > 3 THEN 'Password Spray Likely'
    ELSE 'Password Guessing'
  END AS AttackPattern
FROM events
WHERE LOGSOURCETYPEID IN (12, 13)
  AND eventid IN (4625, 4771, 4776)
  AND username NOT IN ('', '-', 'ANONYMOUS LOGON')
  AND sourceip IS NOT NULL
  AND sourceip NOT IN ('127.0.0.1', '0:0:0:0:0:0:0:1')
GROUP BY sourceip, destinationip, TRUNCATE(LONG(starttime) / 600000)
HAVING FailureCount >= 10
ORDER BY FailureCount DESC
LAST 60 MINUTES

medium severity high confidence

Data Sources

Windows Security Event Log (QRadar Log Source Type 12 - Microsoft Windows Security Event Log) Microsoft Active Directory Domain Controller logs Microsoft Windows Server authentication logs

Required Tables

events

False Positives

Backup agents or monitoring software using service accounts whose passwords were rotated without updating the agent configuration, generating periodic authentication failure bursts
Helpdesk or IT staff testing account lockout policies or conducting authorized credential audits during maintenance windows
Legacy applications or scheduled tasks configured with stale service account credentials that have not been updated after a password policy enforcement cycle

Sumo Logic CSE

sql

(_sourceCategory=Windows/Security OR _sourceCategory=OS/Windows/Security OR _sourceName=Security)
| where EventCode in ("4625", "4771", "4776")
| parse regex "(?:Target|Caller) User Name:\s+(?<TargetAccount>\S+)" nodrop
| parse regex "Source Network Address:\s+(?<SourceIP>[\d.:a-fA-F]+)" nodrop
| parse regex "Workstation Name:\s+(?<SourceWorkstation>\S+)" nodrop
| where !isNull(TargetAccount) and TargetAccount != "" and TargetAccount != "-"
| where toLowerCase(TargetAccount) != "anonymous logon"
| where !isNull(SourceIP) and SourceIP != "" and SourceIP != "-"
| where SourceIP != "127.0.0.1" and SourceIP != "::1"
| timeslice 10m
| eval DetectionType = if(EventCode=="4625", "Windows Logon Failure", if(EventCode=="4771", "Kerberos Pre-Auth Failure", "NTLM Auth Failure"))
| count as FailureCount, dcount(TargetAccount) as DistinctAccounts by _timeslice, _sourceHost, SourceIP, DetectionType
| where FailureCount >= 10
| eval Severity = if(FailureCount >= 50, "High", if(FailureCount >= 20, "Medium", "Low"))
| eval AttackPattern = if(DistinctAccounts > 3, "Password Spray Likely", "Password Guessing")
| fields _timeslice, _sourceHost, SourceIP, DetectionType, FailureCount, DistinctAccounts, Severity, AttackPattern
| sort by FailureCount

medium severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Source Category Windows/Security) Sumo Logic Cloud SIEM Windows event sensor Windows Event Collector forwarding to Sumo Logic HTTP source

Required Tables

Windows Security Event Log

False Positives

Backup or endpoint management software (e.g., SCCM, Tanium) using service accounts with expired passwords that generate authentication failure bursts during scheduled scans or deployments
Users accessing multiple internal services simultaneously with cached browser credentials that became invalid after a password change, triggering failures across multiple systems at once
Network device discovery or inventory tools (e.g., SolarWinds, Nmap with NSE scripts) performing authenticated connectivity checks using default or test credentials against Windows hosts

Google Chronicle / SecOps

yaral

rule T1110_001_password_guessing {
  meta:
    author = "Detection Engineering"
    description = "Detects password guessing via high-volume Windows authentication failures (logon failure, Kerberos pre-auth, NTLM) from the same source IP to the same host within a 10-minute window."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1110.001"
    mitre_attack_technique_name = "Brute Force: Password Guessing"
    severity = "MEDIUM"
    priority = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1110/001/"
    false_positives = "Service accounts with expired credentials, authorized password audit tools"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "BLOCK"
    $e.metadata.vendor_name = "Microsoft"
    $e.principal.ip != ""
    not $e.principal.ip = "127.0.0.1"
    not $e.principal.ip = "::1"
    $e.target.user.userid != ""
    not $e.target.user.userid = "-"
    not re.regex($e.target.user.userid, `(?i)^anonymous logon$`)
    $source_ip = $e.principal.ip
    $target_host = $e.target.hostname

  match:
    $source_ip, $target_host over 10m

  condition:
    #e >= 10
}

medium severity high confidence

Data Sources

Google Chronicle UDM - USER_LOGIN events Windows Security Event Log ingested via Chronicle forwarder or BindPlane Microsoft Active Directory / Windows Server events normalized to Chronicle UDM

Required Tables

UDM entity: USER_LOGIN (security_result.action = BLOCK)

False Positives

Legitimate users repeatedly failing multi-factor authentication challenges due to misconfigured authenticator apps or expired TOTP codes, generating blocked login events in rapid succession
Service accounts running automated ETL jobs or scheduled scripts with credentials that expired mid-execution, causing a burst of authentication failures at predictable job start times
IT operations teams running automated runbooks or configuration management tools (e.g., Ansible, Puppet) that include credential validation steps across multiple accounts during system provisioning

CrowdStrike LogScale (CQL)

cql

#event_simpleName = UserLogonFailed2
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "::1"
| RemoteAddressIP4 != ""
| UserName != ""
| UserName != "-"
| UserName != "ANONYMOUS LOGON"
| bucket(span=10min, function=[
    count(as=FailureCount),
    count(UserName, distinct=true, as=DistinctAccounts),
    collect([UserName], max=20, as=Accounts),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen)
  ], by=[ComputerName, RemoteAddressIP4])
| FailureCount >= 10
| case {
    FailureCount >= 50 | Severity := "High";
    FailureCount >= 20 | Severity := "Medium";
    * | Severity := "Low"
  }
| case {
    DistinctAccounts > 3 | AttackPattern := "Password Spray Likely";
    * | AttackPattern := "Password Guessing"
  }
| sort(FailureCount, order=desc)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Agent (UserLogonFailed2 event stream) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike LogScale (Humio) ingestion pipeline

Required Tables

Falcon event stream: UserLogonFailed2

False Positives

Endpoint management agents (SCCM, Microsoft Intune, Tanium) using cached service account credentials that expired, generating periodic UserLogonFailed2 bursts during scheduled compliance scans or software deployments
Users actively recovering from an account lockout by repeatedly attempting to authenticate while a password reset request is being processed by the helpdesk
Internal red team or security assessment programs running authorized credential testing tools (e.g., CrackMapExec in lab scope, Metasploit auxiliary modules) against sanctioned target systems within a defined engagement window

Password Guessing

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections