Which SIEM platforms have a T1589 detection rule?

df00tech provides T1589 (Gather Victim Identity Information) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Gather Victim Identity Information (T1589)?

Detecting Gather Victim Identity Information requires the following data sources: Azure Active Directory, Microsoft Entra ID.

What severity and confidence is the T1589 detection?

The T1589 detection is rated high severity with medium confidence.

What are common false positives for T1589?

Common false positives for T1589 include: Penetration testing engagements performing authorized username enumeration against Azure AD tenants; Misconfigured applications cycling through user lists for automated login (e.g., legacy SSO, misconfigured service accounts); Employee self-service helpdesk tools that probe SSPR status for multiple users during bulk account operations.

T1589

Gather Victim Identity Information

Reconnaissance Last updated: April 13, 2026

This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.

What is T1589 Gather Victim Identity Information?

Gather Victim Identity Information (T1589) maps to the Reconnaissance tactic — the adversary is trying to gather information they can use to plan future operations in MITRE ATT&CK.

This page provides production-ready detection logic for Gather Victim Identity Information, covering the data sources and telemetry it touches: Azure Active Directory, Microsoft Entra ID. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Reconnaissance
Technique: T1589 Gather Victim Identity Information
Canonical reference: https://attack.mitre.org/techniques/T1589/

Microsoft Sentinel / Defender

kusto

let lookback = 1h;
let enumThreshold = 15;
// Primary: Azure AD username enumeration via differential auth error codes
let AzureADEnum = AADSignInLogs
| where TimeGenerated > ago(lookback)
| where ResultType in ("50034", "50053", "50055", "50057", "50072", "50076")
// 50034=UserNameDoesNotExist, 50053=AccountLocked, 50055=PasswordExpired, 50057=AccountDisabled
| extend 
    IsUsernameNotFound = iff(ResultType == "50034", 1, 0),
    IsLockedOrDisabled = iff(ResultType in ("50053", "50057"), 1, 0)
| summarize 
    TotalFailures = count(),
    UniqueUsernames = dcount(UserPrincipalName),
    UsernameNotFoundCount = sum(IsUsernameNotFound),
    LockedDisabledCount = sum(IsLockedOrDisabled),
    UserList = make_set(UserPrincipalName, 25),
    ErrorCodes = make_set(ResultType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by IPAddress, AppDisplayName, ResultDescription
| where UniqueUsernames >= enumThreshold
| extend 
    DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen),
    EnumRate = round(todouble(UniqueUsernames) / iff(datetime_diff('minute', LastSeen, FirstSeen) == 0, 1, todouble(datetime_diff('minute', LastSeen, FirstSeen))), 2),
    SuspicionScore = case(
        UniqueUsernames >= 100, "Critical",
        UniqueUsernames >= 50 or UsernameNotFoundCount >= 30, "High",
        UniqueUsernames >= 15, "Medium",
        "Low"
    )
| project 
    DetectionTime = LastSeen,
    IPAddress,
    AppDisplayName,
    UniqueUsernames,
    TotalFailures,
    UsernameNotFoundCount,
    EnumRate,
    SuspicionScore,
    UserList,
    ErrorCodes,
    DurationMinutes
| order by UniqueUsernames desc;
// Secondary: SSPR abuse for identity enumeration
let SSPREnum = AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName in ("Reset password (self-service)", "Self-service password reset flow activity", "Verify email address phone number")
| where ResultReason contains "blocked" or ResultReason contains "failed" or ActivityDisplayName contains "verify"
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(IPAddress)
| summarize
    SSPRAttempts = count(),
    UniqueTargets = dcount(tostring(TargetResources[0].userPrincipalName)),
    TargetList = make_set(tostring(TargetResources[0].userPrincipalName), 25),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by IPAddress
| where UniqueTargets >= 10
| extend DetectionType = "SSPR_Enumeration", SuspicionScore = iff(UniqueTargets >= 25, "High", "Medium")
| project DetectionTime = LastSeen, IPAddress, UniqueTargets, SSPRAttempts, SuspicionScore, TargetList;
// Union both detection signals
AzureADEnum
| extend DetectionType = "Auth_Username_Enumeration"
| union (SSPREnum | extend UniqueUsernames = UniqueTargets, TotalFailures = SSPRAttempts, UserList = TargetList, UsernameNotFoundCount = 0, EnumRate = 0.0, ErrorCodes = dynamic(["SSPR"]), DurationMinutes = 0)
| order by SuspicionScore asc, UniqueUsernames desc

Detects adversary username enumeration via two vectors: (1) Azure AD sign-in attempts producing differential error codes (50034=UserNameDoesNotExist vs. password errors) from a single source IP across 15+ distinct usernames within an hour, and (2) Self-Service Password Reset flow abuse targeting multiple unique accounts. Combines both signals to surface identity reconnaissance activity consistent with LAPSUS$, Scattered Spider, and HEXANE TTPs.

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID

Required Tables

AADSignInLogs AuditLogs

False Positives

Penetration testing engagements performing authorized username enumeration against Azure AD tenants
Misconfigured applications cycling through user lists for automated login (e.g., legacy SSO, misconfigured service accounts)
Employee self-service helpdesk tools that probe SSPR status for multiple users during bulk account operations
Password expiration notification systems contacting multiple accounts in rapid succession
IT onboarding scripts performing bulk account validation during directory synchronization

Splunk

spl

| union
  [search index=* sourcetype="WinEventLog:Security" EventCode=4625
   | eval SubStatus=coalesce(SubStatus,"unknown")
   | where SubStatus IN ("0xc0000064", "0xc0000072", "0xc000006d")
   | eval EnumSignal="UserNotFound_or_InvalidUser"
   | eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
   | where SourceIP != "127.0.0.1" AND SourceIP != "-" AND isnotnull(SourceIP)
   | stats
       count as FailCount,
       dc(TargetUserName) as UniqueUsers,
       values(TargetUserName) as UserList,
       values(SubStatus) as SubStatusList,
       min(_time) as FirstSeen,
       max(_time) as LastSeen
       by SourceIP, WorkstationName, EnumSignal
   | where UniqueUsers >= 10]
  [search index=* sourcetype="WinEventLog:Security" EventCode=4771
   | eval KerbErrorCode=coalesce(Status, "unknown")
   | where KerbErrorCode IN ("0x6", "0x18")
   | eval EnumSignal="Kerberos_UsernameNotFound"
   | eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
   | stats
       count as FailCount,
       dc(TargetUserName) as UniqueUsers,
       values(TargetUserName) as UserList,
       min(_time) as FirstSeen,
       max(_time) as LastSeen
       by SourceIP, EnumSignal
   | where UniqueUsers >= 10]
| eval DurationSeconds=LastSeen-FirstSeen
| eval DurationMinutes=round(DurationSeconds/60,1)
| eval EnumRate=round(UniqueUsers/if(DurationMinutes=0,1,DurationMinutes),2)
| eval SuspicionScore=case(
    UniqueUsers >= 100, "Critical",
    UniqueUsers >= 50, "High",
    UniqueUsers >= 25, "Medium",
    "Low"
  )
| where SuspicionScore IN ("Critical","High","Medium")
| eval FirstSeenHuman=strftime(FirstSeen,"%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")
| table SourceIP, WorkstationName, EnumSignal, UniqueUsers, FailCount, EnumRate, SuspicionScore, UserList, FirstSeenHuman, LastSeenHuman
| sort - UniqueUsers

Detects username enumeration via Windows Security Event ID 4625 (logon failure) filtered to SubStatus 0xc0000064 (user does not exist) and 4771 (Kerberos pre-auth failure with code 0x6 = user unknown), aggregated by source IP. Flags sources probing 10+ distinct usernames within the search window as identity reconnaissance activity.

high severity medium confidence

Data Sources

Windows Security Logs Kerberos Authentication Logs

Required Sourcetypes

WinEventLog:Security

False Positives

Authorized red team or penetration testing exercises performing username enumeration against domain controllers
Legacy applications using deprecated NTLM authentication cycling through stale credential stores
Backup agents or monitoring tools attempting authentication with outdated service account lists
IT help desk tools performing bulk account status checks during password reset workflows
Domain synchronization operations between AD forests with name resolution mismatches

Elastic Security (EQL)

eql

/* T1589 - Victim Identity Enumeration via Differential Auth Error Codes */
/* Deploy as Threshold rule type: count_distinct(user.name) >= 15 grouped by source.ip over 1h */
any where
  (
    /* Azure AD / Entra ID sign-in failure via Elastic Azure integration */
    event.dataset == "azure.signinlogs" and
    event.outcome == "failure" and
    azure.signinlogs.properties.status.error_code in (50034, 50053, 50055, 50057, 50072, 50076) and
    source.ip != null and source.ip != "" and
    user.name != null and user.name != ""
  ) or (
    /* On-prem Windows NTLM logon failure - username does not exist or account disabled */
    event.code == "4625" and
    event.outcome == "failure" and
    winlog.event_data.SubStatus in (
      "0xc0000064", "0xC0000064",
      "0xc0000072", "0xC0000072",
      "0xc000006d", "0xC000006D"
    ) and
    source.ip != null and
    not cidr_match(source.ip, "127.0.0.0/8", "::1/128") and
    winlog.event_data.TargetUserName != null and
    winlog.event_data.TargetUserName != "-" and
    winlog.event_data.TargetUserName != "ANONYMOUS LOGON"
  ) or (
    /* Kerberos pre-auth failure - 0x6=ClientNotFound, 0x18=PasswordMismatch */
    event.code == "4771" and
    event.outcome == "failure" and
    winlog.event_data.Status in ("0x6", "0x18") and
    source.ip != null and
    not cidr_match(source.ip, "127.0.0.0/8", "::1/128") and
    winlog.event_data.TargetUserName != null and
    winlog.event_data.TargetUserName != "-"
  )

Detects T1589 victim identity enumeration via differential authentication error code analysis across both cloud (Azure AD/Entra ID) and on-premises identity providers. Matches Azure AD sign-in failures with error codes distinguishing non-existent users (50034), locked accounts (50053), expired passwords (50055), disabled accounts (50057), and MFA enumeration probes (50072/50076). Also matches Windows Security Event 4625 with SubStatus 0xC0000064 (user does not exist), 0xC0000072 (account disabled), and Kerberos Event 4771 with Status 0x6 (client not found) or 0x18 (wrong password). Must be deployed as a Threshold rule type in Elastic SIEM with count_distinct(user.name) >= 15 and count_distinct(user.name) as the unique key, grouped by source.ip over a 1-hour window, to replicate the aggregation logic from the reference KQL/SPL queries.

high severity high confidence

Data Sources

Azure Active Directory Sign-In Logs via Elastic Azure integration (azure.signinlogs) Windows Security Event Log via Winlogbeat or Elastic Agent (winlog) Elastic Agent with System integration (system.security) Microsoft 365 Defender data forwarded via Elastic integration

Required Tables

logs-azure.signinlogs-* logs-system.security-* winlogbeat-* .ds-logs-system.security-*

False Positives

Authorized penetration testing or red team exercises performing Active Directory account enumeration from known internal jump hosts or CIDR ranges — create rule exceptions for pre-approved test source IPs during engagement windows
Legacy enterprise applications (ERP, ITSM) with hardcoded service account credential arrays that rotate through dozens of accounts during startup or scheduled synchronization jobs, producing burst authentication failures from a single host IP
Helpdesk and IAM provisioning platforms (ServiceNow, SailPoint, Saviynt) that validate username existence across large employee batches during bulk onboarding or offboarding processing cycles
Password expiry notification services that probe account status for all users nearing expiry and generate incidental authentication failures for already-expired or locked accounts
Security operations tooling such as SOAR playbooks or UEBA enrichment services that query identity providers to resolve user context for unrelated alerts, producing spurious failures against inactive or service accounts

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  COUNT(*) AS total_failures,
  COUNT(DISTINCT username) AS unique_usernames,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) AS duration_minutes,
  ROUND(
    LONG(COUNT(DISTINCT username)) /
    CASE
      WHEN ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) = 0 THEN 1
      ELSE ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1)
    END,
    2
  ) AS enum_rate_per_min,
  CASE
    WHEN COUNT(DISTINCT username) >= 100 THEN 'Critical'
    WHEN COUNT(DISTINCT username) >= 50  THEN 'High'
    WHEN COUNT(DISTINCT username) >= 15  THEN 'Medium'
    ELSE 'Low'
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Active Directory'
  )
  AND (
    /* Windows 4625: SubStatus identifies non-existent user vs disabled vs generic failure */
    (
      CATEGORYNAME(category) LIKE '%Authentication%'
      AND CATEGORYNAME(category) LIKE '%Fail%'
      AND (
        UTF8(payload) LIKE '%0xC0000064%'
        OR UTF8(payload) LIKE '%0xc0000064%'
        OR UTF8(payload) LIKE '%0xC0000072%'
        OR UTF8(payload) LIKE '%0xc0000072%'
        OR UTF8(payload) LIKE '%0xC000006D%'
        OR UTF8(payload) LIKE '%0xc000006d%'
      )
    )
    OR
    /* Kerberos 4771: 0x6=client not found, 0x18=wrong password — differential enumeration signal */
    (
      UTF8(payload) LIKE '%Kerberos%'
      AND (
        UTF8(payload) LIKE '%Failure Code:%0x6 %'
        OR UTF8(payload) LIKE '%Failure Code:%0x18 %'
        OR UTF8(payload) LIKE '%Failure Code: 0x6%'
        OR UTF8(payload) LIKE '%Failure Code: 0x18%'
      )
    )
  )
  AND sourceip IS NOT NULL
  AND sourceip <> '127.0.0.1'
  AND sourceip <> '0.0.0.0'
  AND sourceip <> '::1'
  AND username IS NOT NULL
  AND username <> 'N/A'
  AND username <> '-'
  AND username <> 'ANONYMOUS LOGON'
GROUP BY sourceip
HAVING COUNT(DISTINCT username) >= 15
ORDER BY unique_usernames DESC
LAST 1 HOURS

QRadar AQL detection for T1589 victim identity enumeration correlating Windows authentication failure telemetry. Groups events from the Microsoft Windows Security Event Log DSM by source IP and applies a >=15 distinct username threshold over a 1-hour window. Filters on SubStatus codes that discriminate non-existent accounts (0xC0000064), disabled accounts (0xC0000072), and general logon failures (0xC000006D) from Event 4625, and Kerberos failure codes 0x6 (client not found) and 0x18 (wrong password) from Event 4771. Suspicion scoring matches the SPL reference: Critical >=100, High >=50, Medium >=15 unique usernames. The enum_rate_per_min field enables rate-based escalation in downstream correlation rules.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM: Microsoft Windows Security Event Log) Microsoft Active Directory DSM Kerberos authentication log source mapped to Windows Security DSM QRadar Network Insights (NI) for network-layer authentication traffic correlation

Required Tables

events

False Positives

Authorized red team or penetration testing engagements performing Active Directory enumeration from internal hosts using tools such as Kerbrute, CrackMapExec, or BloodHound — suppress by adding known test-range IPs to a QRadar reference set and excluding them in the WHERE clause
SIEM or log aggregator systems that consolidate authentication events from many endpoints and forward them under a single collector IP, causing the source IP grouping to accumulate unique usernames from disparate actual sources
Network Access Control (NAC) or 802.1X enforcement infrastructure sequentially authenticating many endpoints during a policy enforcement cycle or after a network topology change that forces mass reauthentication
Enterprise backup agents (Veeam, Commvault, Veritas) that authenticate via NTLM to many target hosts during backup scheduling, producing bursts of type-3 logon failures when service account credentials are rotated without updating the backup configuration
LDAP-integrated ticketing or provisioning systems (e.g., Jira, Confluence with AD auth) performing batch user validation against the directory as part of license reconciliation or group membership sync jobs

Sumo Logic CSE

sql

/* T1589 - Victim Identity Enumeration via Authentication Failure Error Code Analysis */
(_sourceCategory=*windows*security* OR _sourceCategory=*WinEventLog*Security* OR _sourceCategory=*os/windows/security*)
| where EventCode in ("4625", "4771")
/* Extract SubStatus for NTLM/interactive failures (4625) */
| parse regex "(?i)Sub\s*Status[^:]*:\s*(?P<SubStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract Kerberos failure code (4771) */
| parse regex "(?i)Failure Code[^:]*:\s*(?P<KerbStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract target username */
| parse regex "(?i)Account Name[^:]*:\s*(?P<TargetUserName>[^\r\n]+)" nodrop
/* Extract source IP from NTLM logon */
| parse regex "(?i)Source Network Address[^:]*:\s*(?P<SourceIPRaw>[^\r\n]+)" nodrop
/* Extract Kerberos client address, strip IPv4-mapped prefix */
| parse regex "(?i)Client Address[^:]*:\s*(?:::ffff:)?(?P<KerbIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop
| eval SourceIP = if(isNull(SourceIPRaw) OR SourceIPRaw == "-" OR SourceIPRaw == "", KerbIP, SourceIPRaw)
/* Apply differential error code filter — these codes uniquely identify enumeration vs normal failure */
| where
  (EventCode == "4625" AND SubStatus in ("0xc0000064", "0xC0000064", "0xc0000072", "0xC0000072", "0xc000006d", "0xC000006D"))
  OR (EventCode == "4771" AND KerbStatus in ("0x6", "0x18"))
| where !isNull(SourceIP) AND SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1"
| where !isNull(TargetUserName) AND TargetUserName != "-" AND TargetUserName != "ANONYMOUS LOGON" AND TargetUserName != ""
| timeslice 1h
| stats count as fail_count, count_distinct(TargetUserName) as unique_users, values(TargetUserName) as user_list by SourceIP, EventCode, _timeslice
| where unique_users >= 15
| eval suspicion_score = if(unique_users >= 100, "Critical", if(unique_users >= 50, "High", if(unique_users >= 15, "Medium", "Low")))
| where suspicion_score in ("Critical", "High", "Medium")
| sort by unique_users desc
| fields SourceIP, EventCode, unique_users, fail_count, suspicion_score, user_list, _timeslice

Sumo Logic detection for T1589 victim identity enumeration targeting on-premises Windows authentication infrastructure. Parses Windows Security Event 4625 SubStatus codes to isolate enumeration-specific failure conditions: 0xC0000064 (user account does not exist), 0xC0000072 (account disabled), and 0xC000006D (logon failure — used for spray baseline). Adds Kerberos pre-auth failures (Event 4771) with Status 0x6 (client not found) and 0x18 (wrong password) to detect enumeration against Kerberos-integrated services. Aggregates per source IP using 1-hour timeslices with a >=15 distinct username threshold and Critical/High/Medium scoring tiers mirroring the reference SPL logic. The `values()` function collects the sampled username list for analyst triage.

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Windows Event Log source) Windows Security Event Log via Sumo Logic OpenTelemetry Collector (otelcol) Splunk Universal Forwarder with Sumo Logic HTTP Source endpoint (for hybrid deployments) Sumo Logic Cloud SIEM (CSE) with Windows normalized schema

Required Tables

Windows Event Log source (_sourceCategory=*windows*security*) Sumo Logic Installed Collector with Windows Security Event Log source type

False Positives

Authorized penetration testing or tabletop exercise teams running tools such as Kerbrute, Rubeus, or Impacket from internal or DMZ segments — confirm with security team calendar and suppress by source IP during engagement
Enterprise single sign-on (SSO) reverse proxies or application delivery controllers (F5 APM, Citrix ADC) that source all authentication traffic from a VIP address, making thousands of end-user failures appear as single-IP enumeration
IT operations bulk password reset tooling (e.g., Active Roles, Quest, PowerShell scripts) executed during incident response that touches many accounts in rapid succession from an admin workstation or jump server
Third-party HR or identity lifecycle management systems (Workday, SAP SuccessFactors connectors) performing nightly user reconciliation against Active Directory and generating failures for stale or pre-provisioned accounts
Legacy Kerberos-integrated applications that do not cache service tickets and re-authenticate frequently, producing high-volume 4771 events when service account passwords are rotated or DES/RC4 downgrade issues trigger repeated failures

Google Chronicle / SecOps

yaral

rule t1589_victim_identity_enumeration {
  meta:
    author = "Security Operations"
    description = "Detects adversary username enumeration via differential authentication error codes (T1589 — Gather Victim Identity Information). Triggers when a single source IP probes >= 15 distinct account names within 1 hour using auth error codes that distinguish non-existent from valid-but-failed accounts. Covers Azure AD sign-in codes and on-prem Windows/Kerberos failures normalized to UDM."
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1589"
    mitre_attack_subtechnique = "T1589.001"
    reference = "https://attack.mitre.org/techniques/T1589/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "BLOCK"
    (
      // Azure AD / Entra ID error codes — UserNameDoesNotExist, AccountLocked, AccountDisabled, PasswordExpired, MFA required
      $e.security_result.rule_id = "50034" or
      $e.security_result.rule_id = "50053" or
      $e.security_result.rule_id = "50055" or
      $e.security_result.rule_id = "50057" or
      $e.security_result.rule_id = "50072" or
      $e.security_result.rule_id = "50076" or
      // On-prem Kerberos and NTLM failure descriptions normalized via Chronicle Windows parser
      re.regex($e.security_result.description,
        `(?i)(UserNameDoesNotExist|AccountLocked|AccountDisabled|PasswordExpired|client\s*not\s*found|0xc0000064|0xC0000072|0xC000006D|KDC_ERR_C_PRINCIPAL_UNKNOWN)`) or
      // Windows Event 4625 SubStatus via product_event_type
      ($e.metadata.product_event_type = "4625" and
        re.regex($e.security_result.description, `(?i)(0xc0000064|0xc0000072|0xc000006d)`)) or
      // Kerberos Event 4771
      ($e.metadata.product_event_type = "4771" and
        re.regex($e.security_result.description, `(?i)(0x0+6\b|0x18\b|0x0+18\b)`))
    )
    $e.principal.ip = $src_ip
    $e.target.user.userid = $username
    not net.ip_in_range_cidr($src_ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($src_ip, "::1/128")
    $username != "-"
    $username != ""
    $username != "ANONYMOUS LOGON"

  match:
    $src_ip over 1h

  outcome:
    $unique_user_count = count_distinct($username)
    $total_failures = count($e.metadata.id)
    $suspicion_level = if(
      $unique_user_count >= 100, "Critical",
      if($unique_user_count >= 50, "High",
        if($unique_user_count >= 15, "Medium", "Low")
      )
    )

  condition:
    #username >= 15
}

Chronicle YARA-L 2.0 detection for T1589 victim identity enumeration. Groups USER_LOGIN BLOCK events by source IP over a 1-hour rolling window and triggers when >=15 distinct target usernames are observed from the same IP. The `#username >= 15` condition counts distinct values bound to `$username` within the match window, equivalent to the KQL `dcount(UserPrincipalName) >= enumThreshold` predicate. Covers Azure AD Entra ID error codes (50034/50053/50055/50057/50072/50076) alongside on-prem Windows NTLM SubStatus and Kerberos failure codes via regex matching on normalized UDM `security_result.description`. Chronicle log types AZURE_AD, WINDOWS_AD, and MICROSOFT_365 are primary data sources. Outcome fields provide unique user count and suspicion scoring for alert enrichment.

high severity high confidence

Data Sources

Azure Active Directory / Entra ID (Chronicle AZURE_AD log type via Pub/Sub ingestion) Windows Security Event Log via Chronicle Forwarder (WINDOWS_AD log type) Microsoft 365 via Chronicle MICROSOFT_365 log type Okta or other IdP normalized to UDM USER_LOGIN events by Chronicle parsers

Required Tables

UDM events with metadata.event_type = USER_LOGIN Chronicle log type: AZURE_AD Chronicle log type: WINDOWS_AD Chronicle log type: MICROSOFT_365

False Positives

Authorized internal security tooling (SOAR enrichment, UEBA baseline collectors) that performs batch identity resolution against Azure AD or on-prem AD for alert context, generating many USER_LOGIN BLOCK events from a single internal service account host IP
SSO reverse proxies, WAFs, or application delivery controllers that forward authentication requests from many external users behind a single egress NAT address, causing the single-source grouping to aggregate what are actually distributed end-user failures
Automated provisioning or deprovisioning workflows (Workday, ServiceNow HR integrations) that verify account existence for large employee cohorts during onboarding or offboarding runs, producing sequential auth failures from a single orchestration host
Cloud application misconfigurations where a service principal retries authentication across multiple tenant IDs or user UPNs before failing over, producing multi-target failures from a single client IP within a short window
Security assessment platforms (Tenable Identity Exposure, Semperis DSP) performing continuous Active Directory health monitoring that incidentally generates authentication probes for discovered accounts

CrowdStrike LogScale (CQL)

cql

/* T1589 - Victim Identity Enumeration via Failed Authentication Burst Detection */
/* Scope: set query time picker to last 1 hour in LogScale UI or wrap in scheduled search */

// Primary signal: Falcon sensor on-prem Windows network logon failures
#event_simpleName = "UserLogonFailed2"
LogonType_decimal = 3
RemoteIP != "127.0.0.1"
RemoteIP != "::1"
RemoteIP != ""
| groupBy([RemoteIP], function=[
    count(as=fail_count),
    count(UserName, distinct=true, as=unique_users),
    collect([UserName], limit=25, as=user_list),
    min(@timestamp, as=first_seen_ms),
    max(@timestamp, as=last_seen_ms)
  ])
| where unique_users >= 15
| case {
    unique_users >= 100 | suspicion_score := "Critical";
    unique_users >= 50  | suspicion_score := "High";
    unique_users >= 15  | suspicion_score := "Medium"
  }
| duration_minutes := (last_seen_ms - first_seen_ms) / 60000
| enum_rate_per_min := unique_users / max(1.0, duration_minutes * 1.0)
| sort(field=unique_users, order=desc)
| select([RemoteIP, unique_users, fail_count, enum_rate_per_min, suspicion_score, user_list, duration_minutes, first_seen_ms, last_seen_ms])

CrowdStrike LogScale (Falcon Next-Gen SIEM) detection for T1589 victim identity enumeration using native Falcon sensor telemetry. Queries UserLogonFailed2 events filtered to network logon type 3 (lateral movement / remote auth) and groups by RemoteIP to identify sources probing >=15 distinct usernames within the query time window (set to 1 hour). This mirrors the Windows 4625/4771 SPL logic using Falcon sensor-native event names instead of Windows Security Event IDs. The enum_rate_per_min field enables velocity-based correlation. Suspicion scoring matches the reference: Critical >=100, High >=50, Medium >=15 unique usernames. For Falcon Horizon or CrowdStrike Identity Protection environments, extend with `#event_simpleName IN ["AuthActivityAuditEvent"]` and filter on cloud-specific failure reason codes to cover Azure AD / Okta / PingFederate identity enumeration paths. Requires Falcon sensor deployment with full telemetry enabled and LogScale ingest configured.

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor endpoint telemetry (UserLogonFailed2 events) CrowdStrike Falcon Identity Protection (IdP event stream for cloud identity failures) CrowdStrike Falcon Horizon / CSPM (AuthActivityAuditEvent for cloud control plane) Falcon LogScale / Next-Gen SIEM with Falcon Data Replicator (FDR) feed

Required Tables

#event_simpleName = UserLogonFailed2 #event_simpleName = AuthActivityAuditEvent (Falcon Horizon / Identity Protection) Falcon Data Replicator (FDR) event stream in LogScale

False Positives

Authorized red team engagements using tools such as Kerbrute, CrackMapExec, Rubeus, or Impacket performing Active Directory credential validation from internal hosts or VPN-connected attacker infrastructure — suppress during engagement windows by adding source IPs to a LogScale lookup table and filtering them out
IT asset management or endpoint management platforms (Microsoft SCCM, Tanium, Ivanti) that perform scheduled WMI or remote PowerShell authentication checks across large managed host populations using a shared service account, producing type-3 logon failures from a single management server IP
Enterprise backup platforms (Veeam, Cohesity, Rubrik) authenticating to many target hosts during backup job scheduling or data-protection policy enforcement, generating burst failures when backup credentials are stale or rotated without configuration updates
Network monitoring and performance management tools (SolarWinds, PRTG, Nagios) that probe Windows hosts via authenticated WMI or SMB polling on a recurring schedule, producing periodic bursts of authentication failures from the monitoring server IP when polled hosts are offline or credentials have changed
VPN concentrators, remote desktop gateways (RDG), or Citrix/VMware Horizon access brokers that proxy many end-user authentication attempts through a single internal forwarder IP, making distributed user failures appear as single-source enumeration in aggregated telemetry

Sigma rule & cross-platform mapping

The detection logic for Gather Victim Identity Information (T1589) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1589 Sigma rules on detection.fyi

Platform-specific guides for T1589

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Azure AD Username Enumeration via GetCredentialType API
Expected signal: Azure AD Sign-in Logs (AADSignInLogs) will show ResultType=50034 (UserNameDoesNotExist) for non-existent accounts. Successful lookups may show ResultType=0 or MFA-related codes. Source IP will be the test machine's public IP. Check Azure AD portal under Monitoring > Sign-in Logs filtering by the test domain.
Test 2On-Premises Active Directory Username Enumeration via Kerberos
Expected signal: Windows Security Event ID 4625 with SubStatus 0xc0000064 (user does not exist) on domain controller for each non-existent username tested. Event ID 4625 with SubStatus 0xc000006a (wrong password) for valid usernames. Event ID 4771 with Status 0x6 on DCs running Kerberos logging. Check DC Security event logs filtering: EventID=4625 AND (SubStatus=0xc0000064 OR SubStatus=0xc0000072).
Test 3SSPR Username Existence Probing via Azure AD Password Reset Flow
Expected signal: Azure AD Audit Logs will contain SSPR-related entries under 'Self-service password reset flow activity' and 'Verify email address phone number'. Check Azure portal: Azure Active Directory > Monitoring > Audit Logs, filter Activity='Reset password (self-service)' or 'Self-service password management'. In Sentinel: AuditLogs | where OperationName contains 'password' | where TimeGenerated > ago(1h)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Gather Victim Identity Information

What is T1589 Gather Victim Identity Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1589

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

What is T1589 Gather Victim Identity Information?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1589

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (3)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox