T1589

Gather Victim Identity Information

This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.

Microsoft Sentinel / Defender

kusto

let lookback = 1h;
let enumThreshold = 15;
// Primary: Azure AD username enumeration via differential auth error codes
let AzureADEnum = AADSignInLogs
| where TimeGenerated > ago(lookback)
| where ResultType in ("50034", "50053", "50055", "50057", "50072", "50076")
// 50034=UserNameDoesNotExist, 50053=AccountLocked, 50055=PasswordExpired, 50057=AccountDisabled
| extend 
    IsUsernameNotFound = iff(ResultType == "50034", 1, 0),
    IsLockedOrDisabled = iff(ResultType in ("50053", "50057"), 1, 0)
| summarize 
    TotalFailures = count(),
    UniqueUsernames = dcount(UserPrincipalName),
    UsernameNotFoundCount = sum(IsUsernameNotFound),
    LockedDisabledCount = sum(IsLockedOrDisabled),
    UserList = make_set(UserPrincipalName, 25),
    ErrorCodes = make_set(ResultType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by IPAddress, AppDisplayName, ResultDescription
| where UniqueUsernames >= enumThreshold
| extend 
    DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen),
    EnumRate = round(todouble(UniqueUsernames) / iff(datetime_diff('minute', LastSeen, FirstSeen) == 0, 1, todouble(datetime_diff('minute', LastSeen, FirstSeen))), 2),
    SuspicionScore = case(
        UniqueUsernames >= 100, "Critical",
        UniqueUsernames >= 50 or UsernameNotFoundCount >= 30, "High",
        UniqueUsernames >= 15, "Medium",
        "Low"
    )
| project 
    DetectionTime = LastSeen,
    IPAddress,
    AppDisplayName,
    UniqueUsernames,
    TotalFailures,
    UsernameNotFoundCount,
    EnumRate,
    SuspicionScore,
    UserList,
    ErrorCodes,
    DurationMinutes
| order by UniqueUsernames desc;
// Secondary: SSPR abuse for identity enumeration
let SSPREnum = AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName in ("Reset password (self-service)", "Self-service password reset flow activity", "Verify email address phone number")
| where ResultReason contains "blocked" or ResultReason contains "failed" or ActivityDisplayName contains "verify"
| extend IPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(IPAddress)
| summarize
    SSPRAttempts = count(),
    UniqueTargets = dcount(tostring(TargetResources[0].userPrincipalName)),
    TargetList = make_set(tostring(TargetResources[0].userPrincipalName), 25),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by IPAddress
| where UniqueTargets >= 10
| extend DetectionType = "SSPR_Enumeration", SuspicionScore = iff(UniqueTargets >= 25, "High", "Medium")
| project DetectionTime = LastSeen, IPAddress, UniqueTargets, SSPRAttempts, SuspicionScore, TargetList;
// Union both detection signals
AzureADEnum
| extend DetectionType = "Auth_Username_Enumeration"
| union (SSPREnum | extend UniqueUsernames = UniqueTargets, TotalFailures = SSPRAttempts, UserList = TargetList, UsernameNotFoundCount = 0, EnumRate = 0.0, ErrorCodes = dynamic(["SSPR"]), DurationMinutes = 0)
| order by SuspicionScore asc, UniqueUsernames desc

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID

Required Tables

AADSignInLogs AuditLogs

False Positives

Penetration testing engagements performing authorized username enumeration against Azure AD tenants
Misconfigured applications cycling through user lists for automated login (e.g., legacy SSO, misconfigured service accounts)
Employee self-service helpdesk tools that probe SSPR status for multiple users during bulk account operations
Password expiration notification systems contacting multiple accounts in rapid succession
IT onboarding scripts performing bulk account validation during directory synchronization

Splunk

spl

| union
  [search index=* sourcetype="WinEventLog:Security" EventCode=4625
   | eval SubStatus=coalesce(SubStatus,"unknown")
   | where SubStatus IN ("0xc0000064", "0xc0000072", "0xc000006d")
   | eval EnumSignal="UserNotFound_or_InvalidUser"
   | eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
   | where SourceIP != "127.0.0.1" AND SourceIP != "-" AND isnotnull(SourceIP)
   | stats
       count as FailCount,
       dc(TargetUserName) as UniqueUsers,
       values(TargetUserName) as UserList,
       values(SubStatus) as SubStatusList,
       min(_time) as FirstSeen,
       max(_time) as LastSeen
       by SourceIP, WorkstationName, EnumSignal
   | where UniqueUsers >= 10]
  [search index=* sourcetype="WinEventLog:Security" EventCode=4771
   | eval KerbErrorCode=coalesce(Status, "unknown")
   | where KerbErrorCode IN ("0x6", "0x18")
   | eval EnumSignal="Kerberos_UsernameNotFound"
   | eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
   | stats
       count as FailCount,
       dc(TargetUserName) as UniqueUsers,
       values(TargetUserName) as UserList,
       min(_time) as FirstSeen,
       max(_time) as LastSeen
       by SourceIP, EnumSignal
   | where UniqueUsers >= 10]
| eval DurationSeconds=LastSeen-FirstSeen
| eval DurationMinutes=round(DurationSeconds/60,1)
| eval EnumRate=round(UniqueUsers/if(DurationMinutes=0,1,DurationMinutes),2)
| eval SuspicionScore=case(
    UniqueUsers >= 100, "Critical",
    UniqueUsers >= 50, "High",
    UniqueUsers >= 25, "Medium",
    "Low"
  )
| where SuspicionScore IN ("Critical","High","Medium")
| eval FirstSeenHuman=strftime(FirstSeen,"%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")
| table SourceIP, WorkstationName, EnumSignal, UniqueUsers, FailCount, EnumRate, SuspicionScore, UserList, FirstSeenHuman, LastSeenHuman
| sort - UniqueUsers

high severity medium confidence

Data Sources

Windows Security Logs Kerberos Authentication Logs

Required Sourcetypes

WinEventLog:Security

False Positives

Authorized red team or penetration testing exercises performing username enumeration against domain controllers
Legacy applications using deprecated NTLM authentication cycling through stale credential stores
Backup agents or monitoring tools attempting authentication with outdated service account lists
IT help desk tools performing bulk account status checks during password reset workflows
Domain synchronization operations between AD forests with name resolution mismatches

Elastic Security (EQL)

eql

/* T1589 - Victim Identity Enumeration via Differential Auth Error Codes */
/* Deploy as Threshold rule type: count_distinct(user.name) >= 15 grouped by source.ip over 1h */
any where
  (
    /* Azure AD / Entra ID sign-in failure via Elastic Azure integration */
    event.dataset == "azure.signinlogs" and
    event.outcome == "failure" and
    azure.signinlogs.properties.status.error_code in (50034, 50053, 50055, 50057, 50072, 50076) and
    source.ip != null and source.ip != "" and
    user.name != null and user.name != ""
  ) or (
    /* On-prem Windows NTLM logon failure - username does not exist or account disabled */
    event.code == "4625" and
    event.outcome == "failure" and
    winlog.event_data.SubStatus in (
      "0xc0000064", "0xC0000064",
      "0xc0000072", "0xC0000072",
      "0xc000006d", "0xC000006D"
    ) and
    source.ip != null and
    not cidr_match(source.ip, "127.0.0.0/8", "::1/128") and
    winlog.event_data.TargetUserName != null and
    winlog.event_data.TargetUserName != "-" and
    winlog.event_data.TargetUserName != "ANONYMOUS LOGON"
  ) or (
    /* Kerberos pre-auth failure - 0x6=ClientNotFound, 0x18=PasswordMismatch */
    event.code == "4771" and
    event.outcome == "failure" and
    winlog.event_data.Status in ("0x6", "0x18") and
    source.ip != null and
    not cidr_match(source.ip, "127.0.0.0/8", "::1/128") and
    winlog.event_data.TargetUserName != null and
    winlog.event_data.TargetUserName != "-"
  )

high severity high confidence

Data Sources

Azure Active Directory Sign-In Logs via Elastic Azure integration (azure.signinlogs) Windows Security Event Log via Winlogbeat or Elastic Agent (winlog) Elastic Agent with System integration (system.security) Microsoft 365 Defender data forwarded via Elastic integration

Required Tables

logs-azure.signinlogs-* logs-system.security-* winlogbeat-* .ds-logs-system.security-*

False Positives

Authorized penetration testing or red team exercises performing Active Directory account enumeration from known internal jump hosts or CIDR ranges — create rule exceptions for pre-approved test source IPs during engagement windows
Legacy enterprise applications (ERP, ITSM) with hardcoded service account credential arrays that rotate through dozens of accounts during startup or scheduled synchronization jobs, producing burst authentication failures from a single host IP
Helpdesk and IAM provisioning platforms (ServiceNow, SailPoint, Saviynt) that validate username existence across large employee batches during bulk onboarding or offboarding processing cycles
Password expiry notification services that probe account status for all users nearing expiry and generate incidental authentication failures for already-expired or locked accounts
Security operations tooling such as SOAR playbooks or UEBA enrichment services that query identity providers to resolve user context for unrelated alerts, producing spurious failures against inactive or service accounts

IBM QRadar (AQL)

sql

SELECT
  sourceip,
  COUNT(*) AS total_failures,
  COUNT(DISTINCT username) AS unique_usernames,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) AS duration_minutes,
  ROUND(
    LONG(COUNT(DISTINCT username)) /
    CASE
      WHEN ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) = 0 THEN 1
      ELSE ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1)
    END,
    2
  ) AS enum_rate_per_min,
  CASE
    WHEN COUNT(DISTINCT username) >= 100 THEN 'Critical'
    WHEN COUNT(DISTINCT username) >= 50  THEN 'High'
    WHEN COUNT(DISTINCT username) >= 15  THEN 'Medium'
    ELSE 'Low'
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Active Directory'
  )
  AND (
    /* Windows 4625: SubStatus identifies non-existent user vs disabled vs generic failure */
    (
      CATEGORYNAME(category) LIKE '%Authentication%'
      AND CATEGORYNAME(category) LIKE '%Fail%'
      AND (
        UTF8(payload) LIKE '%0xC0000064%'
        OR UTF8(payload) LIKE '%0xc0000064%'
        OR UTF8(payload) LIKE '%0xC0000072%'
        OR UTF8(payload) LIKE '%0xc0000072%'
        OR UTF8(payload) LIKE '%0xC000006D%'
        OR UTF8(payload) LIKE '%0xc000006d%'
      )
    )
    OR
    /* Kerberos 4771: 0x6=client not found, 0x18=wrong password — differential enumeration signal */
    (
      UTF8(payload) LIKE '%Kerberos%'
      AND (
        UTF8(payload) LIKE '%Failure Code:%0x6 %'
        OR UTF8(payload) LIKE '%Failure Code:%0x18 %'
        OR UTF8(payload) LIKE '%Failure Code: 0x6%'
        OR UTF8(payload) LIKE '%Failure Code: 0x18%'
      )
    )
  )
  AND sourceip IS NOT NULL
  AND sourceip <> '127.0.0.1'
  AND sourceip <> '0.0.0.0'
  AND sourceip <> '::1'
  AND username IS NOT NULL
  AND username <> 'N/A'
  AND username <> '-'
  AND username <> 'ANONYMOUS LOGON'
GROUP BY sourceip
HAVING COUNT(DISTINCT username) >= 15
ORDER BY unique_usernames DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM: Microsoft Windows Security Event Log) Microsoft Active Directory DSM Kerberos authentication log source mapped to Windows Security DSM QRadar Network Insights (NI) for network-layer authentication traffic correlation

Required Tables

events

False Positives

Authorized red team or penetration testing engagements performing Active Directory enumeration from internal hosts using tools such as Kerbrute, CrackMapExec, or BloodHound — suppress by adding known test-range IPs to a QRadar reference set and excluding them in the WHERE clause
SIEM or log aggregator systems that consolidate authentication events from many endpoints and forward them under a single collector IP, causing the source IP grouping to accumulate unique usernames from disparate actual sources
Network Access Control (NAC) or 802.1X enforcement infrastructure sequentially authenticating many endpoints during a policy enforcement cycle or after a network topology change that forces mass reauthentication
Enterprise backup agents (Veeam, Commvault, Veritas) that authenticate via NTLM to many target hosts during backup scheduling, producing bursts of type-3 logon failures when service account credentials are rotated without updating the backup configuration
LDAP-integrated ticketing or provisioning systems (e.g., Jira, Confluence with AD auth) performing batch user validation against the directory as part of license reconciliation or group membership sync jobs

Sumo Logic CSE

sql

/* T1589 - Victim Identity Enumeration via Authentication Failure Error Code Analysis */
(_sourceCategory=*windows*security* OR _sourceCategory=*WinEventLog*Security* OR _sourceCategory=*os/windows/security*)
| where EventCode in ("4625", "4771")
/* Extract SubStatus for NTLM/interactive failures (4625) */
| parse regex "(?i)Sub\s*Status[^:]*:\s*(?P<SubStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract Kerberos failure code (4771) */
| parse regex "(?i)Failure Code[^:]*:\s*(?P<KerbStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract target username */
| parse regex "(?i)Account Name[^:]*:\s*(?P<TargetUserName>[^\r\n]+)" nodrop
/* Extract source IP from NTLM logon */
| parse regex "(?i)Source Network Address[^:]*:\s*(?P<SourceIPRaw>[^\r\n]+)" nodrop
/* Extract Kerberos client address, strip IPv4-mapped prefix */
| parse regex "(?i)Client Address[^:]*:\s*(?:::ffff:)?(?P<KerbIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop
| eval SourceIP = if(isNull(SourceIPRaw) OR SourceIPRaw == "-" OR SourceIPRaw == "", KerbIP, SourceIPRaw)
/* Apply differential error code filter — these codes uniquely identify enumeration vs normal failure */
| where
  (EventCode == "4625" AND SubStatus in ("0xc0000064", "0xC0000064", "0xc0000072", "0xC0000072", "0xc000006d", "0xC000006D"))
  OR (EventCode == "4771" AND KerbStatus in ("0x6", "0x18"))
| where !isNull(SourceIP) AND SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1"
| where !isNull(TargetUserName) AND TargetUserName != "-" AND TargetUserName != "ANONYMOUS LOGON" AND TargetUserName != ""
| timeslice 1h
| stats count as fail_count, count_distinct(TargetUserName) as unique_users, values(TargetUserName) as user_list by SourceIP, EventCode, _timeslice
| where unique_users >= 15
| eval suspicion_score = if(unique_users >= 100, "Critical", if(unique_users >= 50, "High", if(unique_users >= 15, "Medium", "Low")))
| where suspicion_score in ("Critical", "High", "Medium")
| sort by unique_users desc
| fields SourceIP, EventCode, unique_users, fail_count, suspicion_score, user_list, _timeslice

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Windows Event Log source) Windows Security Event Log via Sumo Logic OpenTelemetry Collector (otelcol) Splunk Universal Forwarder with Sumo Logic HTTP Source endpoint (for hybrid deployments) Sumo Logic Cloud SIEM (CSE) with Windows normalized schema

Required Tables

Windows Event Log source (_sourceCategory=*windows*security*) Sumo Logic Installed Collector with Windows Security Event Log source type

False Positives

Authorized penetration testing or tabletop exercise teams running tools such as Kerbrute, Rubeus, or Impacket from internal or DMZ segments — confirm with security team calendar and suppress by source IP during engagement
Enterprise single sign-on (SSO) reverse proxies or application delivery controllers (F5 APM, Citrix ADC) that source all authentication traffic from a VIP address, making thousands of end-user failures appear as single-IP enumeration
IT operations bulk password reset tooling (e.g., Active Roles, Quest, PowerShell scripts) executed during incident response that touches many accounts in rapid succession from an admin workstation or jump server
Third-party HR or identity lifecycle management systems (Workday, SAP SuccessFactors connectors) performing nightly user reconciliation against Active Directory and generating failures for stale or pre-provisioned accounts
Legacy Kerberos-integrated applications that do not cache service tickets and re-authenticate frequently, producing high-volume 4771 events when service account passwords are rotated or DES/RC4 downgrade issues trigger repeated failures

Google Chronicle / SecOps

yaral

rule t1589_victim_identity_enumeration {
  meta:
    author = "Security Operations"
    description = "Detects adversary username enumeration via differential authentication error codes (T1589 — Gather Victim Identity Information). Triggers when a single source IP probes >= 15 distinct account names within 1 hour using auth error codes that distinguish non-existent from valid-but-failed accounts. Covers Azure AD sign-in codes and on-prem Windows/Kerberos failures normalized to UDM."
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1589"
    mitre_attack_subtechnique = "T1589.001"
    reference = "https://attack.mitre.org/techniques/T1589/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "BLOCK"
    (
      // Azure AD / Entra ID error codes — UserNameDoesNotExist, AccountLocked, AccountDisabled, PasswordExpired, MFA required
      $e.security_result.rule_id = "50034" or
      $e.security_result.rule_id = "50053" or
      $e.security_result.rule_id = "50055" or
      $e.security_result.rule_id = "50057" or
      $e.security_result.rule_id = "50072" or
      $e.security_result.rule_id = "50076" or
      // On-prem Kerberos and NTLM failure descriptions normalized via Chronicle Windows parser
      re.regex($e.security_result.description,
        `(?i)(UserNameDoesNotExist|AccountLocked|AccountDisabled|PasswordExpired|client\s*not\s*found|0xc0000064|0xC0000072|0xC000006D|KDC_ERR_C_PRINCIPAL_UNKNOWN)`) or
      // Windows Event 4625 SubStatus via product_event_type
      ($e.metadata.product_event_type = "4625" and
        re.regex($e.security_result.description, `(?i)(0xc0000064|0xc0000072|0xc000006d)`)) or
      // Kerberos Event 4771
      ($e.metadata.product_event_type = "4771" and
        re.regex($e.security_result.description, `(?i)(0x0+6\b|0x18\b|0x0+18\b)`))
    )
    $e.principal.ip = $src_ip
    $e.target.user.userid = $username
    not net.ip_in_range_cidr($src_ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($src_ip, "::1/128")
    $username != "-"
    $username != ""
    $username != "ANONYMOUS LOGON"

  match:
    $src_ip over 1h

  outcome:
    $unique_user_count = count_distinct($username)
    $total_failures = count($e.metadata.id)
    $suspicion_level = if(
      $unique_user_count >= 100, "Critical",
      if($unique_user_count >= 50, "High",
        if($unique_user_count >= 15, "Medium", "Low")
      )
    )

  condition:
    #username >= 15
}

high severity high confidence

Data Sources

Azure Active Directory / Entra ID (Chronicle AZURE_AD log type via Pub/Sub ingestion) Windows Security Event Log via Chronicle Forwarder (WINDOWS_AD log type) Microsoft 365 via Chronicle MICROSOFT_365 log type Okta or other IdP normalized to UDM USER_LOGIN events by Chronicle parsers

Required Tables

UDM events with metadata.event_type = USER_LOGIN Chronicle log type: AZURE_AD Chronicle log type: WINDOWS_AD Chronicle log type: MICROSOFT_365

False Positives

Authorized internal security tooling (SOAR enrichment, UEBA baseline collectors) that performs batch identity resolution against Azure AD or on-prem AD for alert context, generating many USER_LOGIN BLOCK events from a single internal service account host IP
SSO reverse proxies, WAFs, or application delivery controllers that forward authentication requests from many external users behind a single egress NAT address, causing the single-source grouping to aggregate what are actually distributed end-user failures
Automated provisioning or deprovisioning workflows (Workday, ServiceNow HR integrations) that verify account existence for large employee cohorts during onboarding or offboarding runs, producing sequential auth failures from a single orchestration host
Cloud application misconfigurations where a service principal retries authentication across multiple tenant IDs or user UPNs before failing over, producing multi-target failures from a single client IP within a short window
Security assessment platforms (Tenable Identity Exposure, Semperis DSP) performing continuous Active Directory health monitoring that incidentally generates authentication probes for discovered accounts

CrowdStrike LogScale (CQL)

cql

/* T1589 - Victim Identity Enumeration via Failed Authentication Burst Detection */
/* Scope: set query time picker to last 1 hour in LogScale UI or wrap in scheduled search */

// Primary signal: Falcon sensor on-prem Windows network logon failures
#event_simpleName = "UserLogonFailed2"
LogonType_decimal = 3
RemoteIP != "127.0.0.1"
RemoteIP != "::1"
RemoteIP != ""
| groupBy([RemoteIP], function=[
    count(as=fail_count),
    count(UserName, distinct=true, as=unique_users),
    collect([UserName], limit=25, as=user_list),
    min(@timestamp, as=first_seen_ms),
    max(@timestamp, as=last_seen_ms)
  ])
| where unique_users >= 15
| case {
    unique_users >= 100 | suspicion_score := "Critical";
    unique_users >= 50  | suspicion_score := "High";
    unique_users >= 15  | suspicion_score := "Medium"
  }
| duration_minutes := (last_seen_ms - first_seen_ms) / 60000
| enum_rate_per_min := unique_users / max(1.0, duration_minutes * 1.0)
| sort(field=unique_users, order=desc)
| select([RemoteIP, unique_users, fail_count, enum_rate_per_min, suspicion_score, user_list, duration_minutes, first_seen_ms, last_seen_ms])

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor endpoint telemetry (UserLogonFailed2 events) CrowdStrike Falcon Identity Protection (IdP event stream for cloud identity failures) CrowdStrike Falcon Horizon / CSPM (AuthActivityAuditEvent for cloud control plane) Falcon LogScale / Next-Gen SIEM with Falcon Data Replicator (FDR) feed

Required Tables

#event_simpleName = UserLogonFailed2 #event_simpleName = AuthActivityAuditEvent (Falcon Horizon / Identity Protection) Falcon Data Replicator (FDR) event stream in LogScale

False Positives

Authorized red team engagements using tools such as Kerbrute, CrackMapExec, Rubeus, or Impacket performing Active Directory credential validation from internal hosts or VPN-connected attacker infrastructure — suppress during engagement windows by adding source IPs to a LogScale lookup table and filtering them out
IT asset management or endpoint management platforms (Microsoft SCCM, Tanium, Ivanti) that perform scheduled WMI or remote PowerShell authentication checks across large managed host populations using a shared service account, producing type-3 logon failures from a single management server IP
Enterprise backup platforms (Veeam, Cohesity, Rubrik) authenticating to many target hosts during backup job scheduling or data-protection policy enforcement, generating burst failures when backup credentials are stale or rotated without configuration updates
Network monitoring and performance management tools (SolarWinds, PRTG, Nagios) that probe Windows hosts via authenticated WMI or SMB polling on a recurring schedule, producing periodic bursts of authentication failures from the monitoring server IP when polled hosts are offline or credentials have changed
VPN concentrators, remote desktop gateways (RDG), or Citrix/VMware Horizon access brokers that proxy many end-user authentication attempts through a single internal forwarder IP, making distributed user failures appear as single-source enumeration in aggregated telemetry

Last updated: 2026-04-13 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Gather Victim Identity Information

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Reconnaissance

Popular Detections