Detect Gather Victim Identity Information in Sumo Logic CSE
This detection identifies adversary attempts to enumerate victim identity information—credentials, email addresses, and employee names—through active probing of authentication services and monitoring of downstream indicators of OSINT-driven targeting. Since T1589 is a PRE-ATT&CK technique occurring largely outside victim infrastructure, detection focuses on second-order observable signals: anomalous username enumeration via Azure AD sign-in failures with differential error codes (e.g., UserNameDoesNotExist vs. InvalidPassword), Self-Service Password Reset (SSPR) flow abuse, high-volume authentication probing from single sources against multiple distinct accounts, and MFA method enumeration patterns. Groups such as LAPSUS$, Scattered Spider, and HEXANE have exploited these mechanisms to build target identity lists before launching phishing, credential stuffing, or social engineering campaigns.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1589 Gather Victim Identity Information
- Canonical reference
- https://attack.mitre.org/techniques/T1589/
Sumo Detection Query
/* T1589 - Victim Identity Enumeration via Authentication Failure Error Code Analysis */
(_sourceCategory=*windows*security* OR _sourceCategory=*WinEventLog*Security* OR _sourceCategory=*os/windows/security*)
| where EventCode in ("4625", "4771")
/* Extract SubStatus for NTLM/interactive failures (4625) */
| parse regex "(?i)Sub\s*Status[^:]*:\s*(?P<SubStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract Kerberos failure code (4771) */
| parse regex "(?i)Failure Code[^:]*:\s*(?P<KerbStatus>0x[0-9A-Fa-f]+)" nodrop
/* Extract target username */
| parse regex "(?i)Account Name[^:]*:\s*(?P<TargetUserName>[^\r\n]+)" nodrop
/* Extract source IP from NTLM logon */
| parse regex "(?i)Source Network Address[^:]*:\s*(?P<SourceIPRaw>[^\r\n]+)" nodrop
/* Extract Kerberos client address, strip IPv4-mapped prefix */
| parse regex "(?i)Client Address[^:]*:\s*(?:::ffff:)?(?P<KerbIP>[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" nodrop
| eval SourceIP = if(isNull(SourceIPRaw) OR SourceIPRaw == "-" OR SourceIPRaw == "", KerbIP, SourceIPRaw)
/* Apply differential error code filter — these codes uniquely identify enumeration vs normal failure */
| where
(EventCode == "4625" AND SubStatus in ("0xc0000064", "0xC0000064", "0xc0000072", "0xC0000072", "0xc000006d", "0xC000006D"))
OR (EventCode == "4771" AND KerbStatus in ("0x6", "0x18"))
| where !isNull(SourceIP) AND SourceIP != "-" AND SourceIP != "" AND SourceIP != "127.0.0.1" AND SourceIP != "::1"
| where !isNull(TargetUserName) AND TargetUserName != "-" AND TargetUserName != "ANONYMOUS LOGON" AND TargetUserName != ""
| timeslice 1h
| stats count as fail_count, count_distinct(TargetUserName) as unique_users, values(TargetUserName) as user_list by SourceIP, EventCode, _timeslice
| where unique_users >= 15
| eval suspicion_score = if(unique_users >= 100, "Critical", if(unique_users >= 50, "High", if(unique_users >= 15, "Medium", "Low")))
| where suspicion_score in ("Critical", "High", "Medium")
| sort by unique_users desc
| fields SourceIP, EventCode, unique_users, fail_count, suspicion_score, user_list, _timesliceSumo Logic detection for T1589 victim identity enumeration targeting on-premises Windows authentication infrastructure. Parses Windows Security Event 4625 SubStatus codes to isolate enumeration-specific failure conditions: 0xC0000064 (user account does not exist), 0xC0000072 (account disabled), and 0xC000006D (logon failure — used for spray baseline). Adds Kerberos pre-auth failures (Event 4771) with Status 0x6 (client not found) and 0x18 (wrong password) to detect enumeration against Kerberos-integrated services. Aggregates per source IP using 1-hour timeslices with a >=15 distinct username threshold and Critical/High/Medium scoring tiers mirroring the reference SPL logic. The `values()` function collects the sampled username list for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing or tabletop exercise teams running tools such as Kerbrute, Rubeus, or Impacket from internal or DMZ segments — confirm with security team calendar and suppress by source IP during engagement
- Enterprise single sign-on (SSO) reverse proxies or application delivery controllers (F5 APM, Citrix ADC) that source all authentication traffic from a VIP address, making thousands of end-user failures appear as single-IP enumeration
- IT operations bulk password reset tooling (e.g., Active Roles, Quest, PowerShell scripts) executed during incident response that touches many accounts in rapid succession from an admin workstation or jump server
- Third-party HR or identity lifecycle management systems (Workday, SAP SuccessFactors connectors) performing nightly user reconciliation against Active Directory and generating failures for stale or pre-provisioned accounts
- Legacy Kerberos-integrated applications that do not cache service tickets and re-authenticate frequently, producing high-volume 4771 events when service account passwords are rotated or DES/RC4 downgrade issues trigger repeated failures
Other platforms for T1589
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Azure AD Username Enumeration via GetCredentialType API
Expected signal: Azure AD Sign-in Logs (AADSignInLogs) will show ResultType=50034 (UserNameDoesNotExist) for non-existent accounts. Successful lookups may show ResultType=0 or MFA-related codes. Source IP will be the test machine's public IP. Check Azure AD portal under Monitoring > Sign-in Logs filtering by the test domain.
- Test 2On-Premises Active Directory Username Enumeration via Kerberos
Expected signal: Windows Security Event ID 4625 with SubStatus 0xc0000064 (user does not exist) on domain controller for each non-existent username tested. Event ID 4625 with SubStatus 0xc000006a (wrong password) for valid usernames. Event ID 4771 with Status 0x6 on DCs running Kerberos logging. Check DC Security event logs filtering: EventID=4625 AND (SubStatus=0xc0000064 OR SubStatus=0xc0000072).
- Test 3SSPR Username Existence Probing via Azure AD Password Reset Flow
Expected signal: Azure AD Audit Logs will contain SSPR-related entries under 'Self-service password reset flow activity' and 'Verify email address phone number'. Check Azure portal: Azure Active Directory > Monitoring > Audit Logs, filter Activity='Reset password (self-service)' or 'Self-service password management'. In Sentinel: AuditLogs | where OperationName contains 'password' | where TimeGenerated > ago(1h)
References (6)
- https://attack.mitre.org/techniques/T1589/
- https://grimblog.net/post/username-enumeration-o365/
- https://www.obsidian.security/blog/sspr-abuse-2023
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.mandiant.com/resources/blog/lapsus-recent-techniques-tactics-and-procedures
- https://www.clearskysec.com/siamesekitten/
Unlock Pro Content
Get the full detection package for T1589 including response playbook, investigation guide, and atomic red team tests.