Detect Gather Victim Identity Information in Splunk
This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Canonical reference
- https://attack.mitre.org/techniques/T1589/
SPL Detection Query
| union
[search index=* sourcetype="WinEventLog:Security" EventCode=4625
| eval SubStatus=coalesce(SubStatus,"unknown")
| where SubStatus IN ("0xc0000064", "0xc0000072", "0xc000006d")
| eval EnumSignal="UserNotFound_or_InvalidUser"
| eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
| where SourceIP != "127.0.0.1" AND SourceIP != "-" AND isnotnull(SourceIP)
| stats
count as FailCount,
dc(TargetUserName) as UniqueUsers,
values(TargetUserName) as UserList,
values(SubStatus) as SubStatusList,
min(_time) as FirstSeen,
max(_time) as LastSeen
by SourceIP, WorkstationName, EnumSignal
| where UniqueUsers >= 10]
[search index=* sourcetype="WinEventLog:Security" EventCode=4771
| eval KerbErrorCode=coalesce(Status, "unknown")
| where KerbErrorCode IN ("0x6", "0x18")
| eval EnumSignal="Kerberos_UsernameNotFound"
| eval SourceIP=coalesce(IpAddress, src_ip, "unknown")
| stats
count as FailCount,
dc(TargetUserName) as UniqueUsers,
values(TargetUserName) as UserList,
min(_time) as FirstSeen,
max(_time) as LastSeen
by SourceIP, EnumSignal
| where UniqueUsers >= 10]
| eval DurationSeconds=LastSeen-FirstSeen
| eval DurationMinutes=round(DurationSeconds/60,1)
| eval EnumRate=round(UniqueUsers/if(DurationMinutes=0,1,DurationMinutes),2)
| eval SuspicionScore=case(
UniqueUsers >= 100, "Critical",
UniqueUsers >= 50, "High",
UniqueUsers >= 25, "Medium",
"Low"
)
| where SuspicionScore IN ("Critical","High","Medium")
| eval FirstSeenHuman=strftime(FirstSeen,"%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman=strftime(LastSeen,"%Y-%m-%d %H:%M:%S")
| table SourceIP, WorkstationName, EnumSignal, UniqueUsers, FailCount, EnumRate, SuspicionScore, UserList, FirstSeenHuman, LastSeenHuman
| sort - UniqueUsersDetects username enumeration via Windows Security Event ID 4625 (logon failure) filtered to SubStatus 0xc0000064 (user does not exist) and 4771 (Kerberos pre-auth failure with code 0x6 = user unknown), aggregated by source IP. Flags sources probing 10+ distinct usernames within the search window as identity reconnaissance activity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized red team or penetration testing exercises performing username enumeration against domain controllers
- Legacy applications using deprecated NTLM authentication cycling through stale credential stores
- Backup agents or monitoring tools attempting authentication with outdated service account lists
- IT help desk tools performing bulk account status checks during password reset workflows
- Domain synchronization operations between AD forests with name resolution mismatches
Other platforms for T1589
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Username Enumeration via GetCredentialType API
Expected signal: Azure AD Sign-in Logs (AADSignInLogs) will show ResultType=50034 (UserNameDoesNotExist) for non-existent accounts. Successful lookups may show ResultType=0 or MFA-related codes. Source IP will be the test machine's public IP. Check Azure AD portal under Monitoring > Sign-in Logs filtering by the test domain.
- Test 2On-Premises Active Directory Username Enumeration via Kerberos
Expected signal: Windows Security Event ID 4625 with SubStatus 0xc0000064 (user does not exist) on domain controller for each non-existent username tested. Event ID 4625 with SubStatus 0xc000006a (wrong password) for valid usernames. Event ID 4771 with Status 0x6 on DCs running Kerberos logging. Check DC Security event logs filtering: EventID=4625 AND (SubStatus=0xc0000064 OR SubStatus=0xc0000072).
- Test 3SSPR Username Existence Probing via Azure AD Password Reset Flow
Expected signal: Azure AD Audit Logs will contain SSPR-related entries under 'Self-service password reset flow activity' and 'Verify email address phone number'. Check Azure portal: Azure Active Directory > Monitoring > Audit Logs, filter Activity='Reset password (self-service)' or 'Self-service password management'. In Sentinel: AuditLogs | where OperationName contains 'password' | where TimeGenerated > ago(1h)
References (6)
- https://attack.mitre.org/techniques/T1589/
- https://grimblog.net/post/username-enumeration-o365/
- https://www.obsidian.security/blog/sspr-abuse-2023
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.mandiant.com/resources/blog/lapsus-recent-techniques-tactics-and-procedures
- https://www.clearskysec.com/siamesekitten/
Unlock Pro Content
Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.