Which SIEM platforms have a T1110.001 detection rule?

df00tech provides T1110.001 (Password Guessing) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Password Guessing (T1110.001)?

Detecting Password Guessing requires the following data sources: Logon Session: Logon Session Creation, User Account: User Account Authentication, Windows Security Event Log, Active Directory: Active Directory Credential Request.

What severity and confidence is the T1110.001 detection?

The T1110.001 detection is rated medium severity with high confidence.

What are common false positives for T1110.001?

Common false positives for T1110.001 include: Misconfigured service accounts with expired or incorrect passwords generating repeated authentication failures against domain controllers; Vulnerability scanners or penetration testing tools (Nessus, Qualys, Rapid7) performing authenticated scans that fail due to incorrect test credentials; End users who have forgotten their passwords attempting to log in multiple times before calling the help desk.

T1110.001 IBM QRadar · QRadar

Detect Password Guessing in IBM QRadar

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts. Commonly targeted services include SSH, RDP, SMB, LDAP, Kerberos, FTP, MSSQL, MySQL, VNC, and web management portals. Threat actors such as APT28, APT29, Emotet, and tools like CrackMapExec have leveraged this technique extensively.

MITRE ATT&CK

Tactic: Credential Access
Technique: T1110 Brute Force
Sub-technique: T1110.001 Password Guessing
Canonical reference: https://attack.mitre.org/techniques/T1110/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  COUNT(*) AS FailureCount,
  UNIQUECOUNT(username) AS DistinctAccounts,
  ARRAY(username) AS Accounts,
  CASE
    WHEN COUNT(*) >= 50 THEN 'High'
    WHEN COUNT(*) >= 20 THEN 'Medium'
    ELSE 'Low'
  END AS Severity,
  CASE
    WHEN UNIQUECOUNT(username) > 3 THEN 'Password Spray Likely'
    ELSE 'Password Guessing'
  END AS AttackPattern
FROM events
WHERE LOGSOURCETYPEID IN (12, 13)
  AND eventid IN (4625, 4771, 4776)
  AND username NOT IN ('', '-', 'ANONYMOUS LOGON')
  AND sourceip IS NOT NULL
  AND sourceip NOT IN ('127.0.0.1', '0:0:0:0:0:0:0:1')
GROUP BY sourceip, destinationip, TRUNCATE(LONG(starttime) / 600000)
HAVING FailureCount >= 10
ORDER BY FailureCount DESC
LAST 60 MINUTES

medium severity high confidence

Detects password guessing by aggregating Windows authentication failure events (Event IDs 4625 logon failure, 4771 Kerberos pre-auth failure, 4776 NTLM credential validation failure) from QRadar Windows log sources in 10-minute buckets, alerting when 10 or more failures are observed from the same source IP to the same destination. Classifies attack pattern as password guessing vs spray based on distinct account count.

Data Sources

Windows Security Event Log (QRadar Log Source Type 12 - Microsoft Windows Security Event Log)Microsoft Active Directory Domain Controller logsMicrosoft Windows Server authentication logs

Required Tables

events

False Positives & Tuning

Backup agents or monitoring software using service accounts whose passwords were rotated without updating the agent configuration, generating periodic authentication failure bursts
Helpdesk or IT staff testing account lockout policies or conducting authorized credential audits during maintenance windows
Legacy applications or scheduled tasks configured with stale service account credentials that have not been updated after a password policy enforcement cycle

Download portable Sigma rule (.yml)

Other platforms for T1110.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1RDP Password Guessing with Hydra
Expected signal: Windows Security Event ID 4625 (Logon Failure) with LogonType=10 (RemoteInteractive) on the target system, source IP matching the attacker host. Multiple failures in rapid succession. Network flow logs showing repeated TCP connections to port 3389 from attacker IP.
Test 2SMB Password Guessing with CrackMapExec
Expected signal: Windows Security Event ID 4625 (Logon Failure) with LogonType=3 (Network) and SubStatus 0xC000006A (wrong password) on the target DC/server. Event ID 4776 (NTLM validation failure) may also appear. Sysmon Event ID 3 on the attacker host showing outbound connections to port 445.
Test 3SSH Password Guessing using Hydra on Linux
Expected signal: Linux syslog/auth.log entries: 'Failed password for <user> from <attacker_ip> port <port> ssh2' and 'Invalid user <user> from <attacker_ip>'. Multiple entries in rapid succession from attacker IP. Possible PAM failure events if auditd is configured.
Test 4Windows Local Account Password Guessing via Net Use
Expected signal: Windows Security Event ID 4625 (Logon Failure) on the target host with LogonType=3 (Network), SubStatus=0xC000006A (wrong password), and source IP matching the test machine. Sysmon Event ID 1 on the attacker machine showing cmd.exe spawning with 'net use' command line. Security Event ID 4648 (logon with explicit credentials) may also appear.
Test 5Azure AD / Office 365 Password Guessing via MSOLSpray
Expected signal: Azure AD SigninLogs / AADSignInLogs in Microsoft Sentinel: ResultType = 50126 (invalid username or password) or 50053 (account locked out), with repeated entries from same IP. UserAgent reflecting PowerShell/HTTP client. Office 365 Unified Audit Log: UserLoginFailed operation with ClientInfoString showing legacy auth client.

Last updated: 2026-04-17 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1110.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Password Guessing in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1110.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1110.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox