T1589 IBM QRadar · QRadar

Detect Gather Victim Identity Information in IBM QRadar

This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1589 Gather Victim Identity Information
Canonical reference
https://attack.mitre.org/techniques/T1589/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  COUNT(*) AS total_failures,
  COUNT(DISTINCT username) AS unique_usernames,
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) AS duration_minutes,
  ROUND(
    LONG(COUNT(DISTINCT username)) /
    CASE
      WHEN ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) = 0 THEN 1
      ELSE ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1)
    END,
    2
  ) AS enum_rate_per_min,
  CASE
    WHEN COUNT(DISTINCT username) >= 100 THEN 'Critical'
    WHEN COUNT(DISTINCT username) >= 50  THEN 'High'
    WHEN COUNT(DISTINCT username) >= 15  THEN 'Medium'
    ELSE 'Low'
  END AS suspicion_score
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN (
    'Microsoft Windows Security Event Log',
    'Microsoft Active Directory'
  )
  AND (
    /* Windows 4625: SubStatus identifies non-existent user vs disabled vs generic failure */
    (
      CATEGORYNAME(category) LIKE '%Authentication%'
      AND CATEGORYNAME(category) LIKE '%Fail%'
      AND (
        UTF8(payload) LIKE '%0xC0000064%'
        OR UTF8(payload) LIKE '%0xc0000064%'
        OR UTF8(payload) LIKE '%0xC0000072%'
        OR UTF8(payload) LIKE '%0xc0000072%'
        OR UTF8(payload) LIKE '%0xC000006D%'
        OR UTF8(payload) LIKE '%0xc000006d%'
      )
    )
    OR
    /* Kerberos 4771: 0x6=client not found, 0x18=wrong password — differential enumeration signal */
    (
      UTF8(payload) LIKE '%Kerberos%'
      AND (
        UTF8(payload) LIKE '%Failure Code:%0x6 %'
        OR UTF8(payload) LIKE '%Failure Code:%0x18 %'
        OR UTF8(payload) LIKE '%Failure Code: 0x6%'
        OR UTF8(payload) LIKE '%Failure Code: 0x18%'
      )
    )
  )
  AND sourceip IS NOT NULL
  AND sourceip <> '127.0.0.1'
  AND sourceip <> '0.0.0.0'
  AND sourceip <> '::1'
  AND username IS NOT NULL
  AND username <> 'N/A'
  AND username <> '-'
  AND username <> 'ANONYMOUS LOGON'
GROUP BY sourceip
HAVING COUNT(DISTINCT username) >= 15
ORDER BY unique_usernames DESC
LAST 1 HOURS
high severity medium confidence

QRadar AQL detection for T1589 victim identity enumeration correlating Windows authentication failure telemetry. Groups events from the Microsoft Windows Security Event Log DSM by source IP and applies a >=15 distinct username threshold over a 1-hour window. Filters on SubStatus codes that discriminate non-existent accounts (0xC0000064), disabled accounts (0xC0000072), and general logon failures (0xC000006D) from Event 4625, and Kerberos failure codes 0x6 (client not found) and 0x18 (wrong password) from Event 4771. Suspicion scoring matches the SPL reference: Critical >=100, High >=50, Medium >=15 unique usernames. The enum_rate_per_min field enables rate-based escalation in downstream correlation rules.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM: Microsoft Windows Security Event Log)Microsoft Active Directory DSMKerberos authentication log source mapped to Windows Security DSMQRadar Network Insights (NI) for network-layer authentication traffic correlation

Required Tables

events

False Positives & Tuning

  • Authorized red team or penetration testing engagements performing Active Directory enumeration from internal hosts using tools such as Kerbrute, CrackMapExec, or BloodHound — suppress by adding known test-range IPs to a QRadar reference set and excluding them in the WHERE clause
  • SIEM or log aggregator systems that consolidate authentication events from many endpoints and forward them under a single collector IP, causing the source IP grouping to accumulate unique usernames from disparate actual sources
  • Network Access Control (NAC) or 802.1X enforcement infrastructure sequentially authenticating many endpoints during a policy enforcement cycle or after a network topology change that forces mass reauthentication
  • Enterprise backup agents (Veeam, Commvault, Veritas) that authenticate via NTLM to many target hosts during backup scheduling, producing bursts of type-3 logon failures when service account credentials are rotated without updating the backup configuration
  • LDAP-integrated ticketing or provisioning systems (e.g., Jira, Confluence with AD auth) performing batch user validation against the directory as part of license reconciliation or group membership sync jobs
Download portable Sigma rule (.yml)

Other platforms for T1589

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure AD Username Enumeration via GetCredentialType API

    Expected signal: Azure AD Sign-in Logs (AADSignInLogs) will show ResultType=50034 (UserNameDoesNotExist) for non-existent accounts. Successful lookups may show ResultType=0 or MFA-related codes. Source IP will be the test machine's public IP. Check Azure AD portal under Monitoring > Sign-in Logs filtering by the test domain.

  2. Test 2On-Premises Active Directory Username Enumeration via Kerberos

    Expected signal: Windows Security Event ID 4625 with SubStatus 0xc0000064 (user does not exist) on domain controller for each non-existent username tested. Event ID 4625 with SubStatus 0xc000006a (wrong password) for valid usernames. Event ID 4771 with Status 0x6 on DCs running Kerberos logging. Check DC Security event logs filtering: EventID=4625 AND (SubStatus=0xc0000064 OR SubStatus=0xc0000072).

  3. Test 3SSPR Username Existence Probing via Azure AD Password Reset Flow

    Expected signal: Azure AD Audit Logs will contain SSPR-related entries under 'Self-service password reset flow activity' and 'Verify email address phone number'. Check Azure portal: Azure Active Directory > Monitoring > Audit Logs, filter Activity='Reset password (self-service)' or 'Self-service password management'. In Sentinel: AuditLogs | where OperationName contains 'password' | where TimeGenerated > ago(1h)

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1589.001CredentialsT1589.002Email AddressesT1589.003Employee NamesT1598Phishing for InformationT1595Active ScanningT1593.001Social MediaT1594Search Victim-Owned WebsitesT1586Compromise AccountsT1566PhishingT1078Valid AccountsT1110Brute Force

Same Tactic: Reconnaissance

Popular Detections