T1589 CrowdStrike LogScale · LogScale

Detect Gather Victim Identity Information in CrowdStrike LogScale

This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Canonical reference
https://attack.mitre.org/techniques/T1589/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
/* T1589 - Victim Identity Enumeration via Failed Authentication Burst Detection */
/* Scope: set query time picker to last 1 hour in LogScale UI or wrap in scheduled search */

// Primary signal: Falcon sensor on-prem Windows network logon failures
#event_simpleName = "UserLogonFailed2"
LogonType_decimal = 3
RemoteIP != "127.0.0.1"
RemoteIP != "::1"
RemoteIP != ""
| groupBy([RemoteIP], function=[
    count(as=fail_count),
    count(UserName, distinct=true, as=unique_users),
    collect([UserName], limit=25, as=user_list),
    min(@timestamp, as=first_seen_ms),
    max(@timestamp, as=last_seen_ms)
  ])
| where unique_users >= 15
| case {
    unique_users >= 100 | suspicion_score := "Critical";
    unique_users >= 50  | suspicion_score := "High";
    unique_users >= 15  | suspicion_score := "Medium"
  }
| duration_minutes := (last_seen_ms - first_seen_ms) / 60000
| enum_rate_per_min := unique_users / max(1.0, duration_minutes * 1.0)
| sort(field=unique_users, order=desc)
| select([RemoteIP, unique_users, fail_count, enum_rate_per_min, suspicion_score, user_list, duration_minutes, first_seen_ms, last_seen_ms])
high severity medium confidence

CrowdStrike LogScale (Falcon Next-Gen SIEM) detection for T1589 victim identity enumeration using native Falcon sensor telemetry. Queries UserLogonFailed2 events filtered to network logon type 3 (lateral movement / remote auth) and groups by RemoteIP to identify sources probing >=15 distinct usernames within the query time window (set to 1 hour). This mirrors the Windows 4625/4771 SPL logic using Falcon sensor-native event names instead of Windows Security Event IDs. The enum_rate_per_min field enables velocity-based correlation. Suspicion scoring matches the reference: Critical >=100, High >=50, Medium >=15 unique usernames. For Falcon Horizon or CrowdStrike Identity Protection environments, extend with `#event_simpleName IN ["AuthActivityAuditEvent"]` and filter on cloud-specific failure reason codes to cover Azure AD / Okta / PingFederate identity enumeration paths. Requires Falcon sensor deployment with full telemetry enabled and LogScale ingest configured.

Data Sources

CrowdStrike Falcon Sensor endpoint telemetry (UserLogonFailed2 events)CrowdStrike Falcon Identity Protection (IdP event stream for cloud identity failures)CrowdStrike Falcon Horizon / CSPM (AuthActivityAuditEvent for cloud control plane)Falcon LogScale / Next-Gen SIEM with Falcon Data Replicator (FDR) feed

Required Tables

#event_simpleName = UserLogonFailed2#event_simpleName = AuthActivityAuditEvent (Falcon Horizon / Identity Protection)Falcon Data Replicator (FDR) event stream in LogScale

False Positives & Tuning

  • Authorized red team engagements using tools such as Kerbrute, CrackMapExec, Rubeus, or Impacket performing Active Directory credential validation from internal hosts or VPN-connected attacker infrastructure — suppress during engagement windows by adding source IPs to a LogScale lookup table and filtering them out
  • IT asset management or endpoint management platforms (Microsoft SCCM, Tanium, Ivanti) that perform scheduled WMI or remote PowerShell authentication checks across large managed host populations using a shared service account, producing type-3 logon failures from a single management server IP
  • Enterprise backup platforms (Veeam, Cohesity, Rubrik) authenticating to many target hosts during backup job scheduling or data-protection policy enforcement, generating burst failures when backup credentials are stale or rotated without configuration updates
  • Network monitoring and performance management tools (SolarWinds, PRTG, Nagios) that probe Windows hosts via authenticated WMI or SMB polling on a recurring schedule, producing periodic bursts of authentication failures from the monitoring server IP when polled hosts are offline or credentials have changed
  • VPN concentrators, remote desktop gateways (RDG), or Citrix/VMware Horizon access brokers that proxy many end-user authentication attempts through a single internal forwarder IP, making distributed user failures appear as single-source enumeration in aggregated telemetry
Download portable Sigma rule (.yml)

Other platforms for T1589

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure AD Username Enumeration via GetCredentialType API

    Expected signal: Azure AD Sign-in Logs (AADSignInLogs) will show ResultType=50034 (UserNameDoesNotExist) for non-existent accounts. Successful lookups may show ResultType=0 or MFA-related codes. Source IP will be the test machine's public IP. Check Azure AD portal under Monitoring > Sign-in Logs filtering by the test domain.

  2. Test 2On-Premises Active Directory Username Enumeration via Kerberos

    Expected signal: Windows Security Event ID 4625 with SubStatus 0xc0000064 (user does not exist) on domain controller for each non-existent username tested. Event ID 4625 with SubStatus 0xc000006a (wrong password) for valid usernames. Event ID 4771 with Status 0x6 on DCs running Kerberos logging. Check DC Security event logs filtering: EventID=4625 AND (SubStatus=0xc0000064 OR SubStatus=0xc0000072).

  3. Test 3SSPR Username Existence Probing via Azure AD Password Reset Flow

    Expected signal: Azure AD Audit Logs will contain SSPR-related entries under 'Self-service password reset flow activity' and 'Verify email address phone number'. Check Azure portal: Azure Active Directory > Monitoring > Audit Logs, filter Activity='Reset password (self-service)' or 'Self-service password management'. In Sentinel: AuditLogs | where OperationName contains 'password' | where TimeGenerated > ago(1h)

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1589.001CredentialsT1589.002Email AddressesT1589.003Employee NamesT1598Phishing for InformationT1595Active ScanningT1593.001Social MediaT1594Search Victim-Owned WebsitesT1586Compromise AccountsT1566PhishingT1078Valid AccountsT1110Brute Force

Same Tactic: Reconnaissance

Popular Detections