T1590.001

Domain Properties

Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (name, registrar, etc.) and more directly actionable information such as contacts, business addresses, and name servers. Adversaries gather this information via direct collection (WHOIS queries, DNS enumeration), passive data sets, or by querying publicly accessible API endpoints such as Microsoft's GetUserRealm and autodiscover APIs in Office 365/Azure environments. Tools such as AADInternals leverage these public APIs to enumerate tenant domain details, federation configuration, and company metadata — all without authenticating to the target environment.

Microsoft Sentinel / Defender

kusto

let AADReconPatterns = dynamic([
    "Get-AADIntTenantDomains", "Get-AADIntLoginInformation", "Get-AADIntTenantDetails",
    "Invoke-AADIntReconAsOutsider", "Get-AADIntCompanyInformation", "Get-AADIntTenantID",
    "Get-AADIntOpenIDConfiguration", "Get-AADIntTenantDomainNames", "AADInternals"
]);
let WhoisToolPatterns = dynamic([
    "whois.exe", "whois ", "Get-Whois", "Invoke-Whois"
]);
let WhoisServiceDomains = dynamic([
    "whois.iana.org", "who.is", "whois.domaintools.com", "whois.verisign-grs.com",
    "whois.networksolutions.com", "rdap.org", "rdap.arin.net", "rdap.verisign.com"
]);
// Detection 1: AADInternals module execution or O365 domain recon via PowerShell
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (AADReconPatterns)
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "GetUserRealm")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "autodiscover" and ProcessCommandLine has "microsoft")
    or ProcessCommandLine has_any (WhoisToolPatterns)
| extend DetectionType = case(
    ProcessCommandLine has_any (AADReconPatterns), "AADInternals_DomainRecon",
    ProcessCommandLine has "GetUserRealm", "O365_GetUserRealm_Recon",
    ProcessCommandLine has "autodiscover", "Autodiscover_DomainEnum",
    "WHOIS_Tool_Execution"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: WHOIS protocol connections (TCP port 43) or connections to known WHOIS web services
let WhoisConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where (RemotePort == 43)
    or (RemoteUrl has_any (WhoisServiceDomains))
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe", "SearchProtocolHost.exe", "MsMpEng.exe")
| extend DetectionType = case(
    RemotePort == 43, "WHOIS_Protocol_Port43",
    "WHOIS_WebService_Access"
)
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName,
         RemoteUrl, RemoteIP, RemotePort, DetectionType;
// Detection 3: Azure AD audit events for domain enumeration operations
let AzureDomainEnum = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("List domains", "Get domain", "Verify domain",
                          "List company information", "Get company information",
                          "List tenantDetails", "List organization")
| where Result == "success"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend DetectionType = "AzureAD_DomainEnumeration"
| project Timestamp=TimeGenerated, DeviceName="AzureAD",
         AccountName=coalesce(InitiatedByUser, InitiatedByApp),
         FileName=InitiatedByApp, ProcessCommandLine=OperationName,
         InitiatingProcessFileName=IPAddress, DetectionType;
union ToolExecution, WhoisConnections, AzureDomainEnum
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Application Log: Application Log Content Microsoft Defender for Endpoint Azure Active Directory Audit Logs

Required Tables

DeviceProcessEvents DeviceNetworkEvents AuditLogs

False Positives

IT administrators performing legitimate WHOIS lookups to verify domain registrations, check expiry dates, or investigate abuse complaints
Security teams using AADInternals or similar tools for authorized red team exercises, tenant health checks, or identity posture assessments
DevOps/cloud automation scripts querying Azure AD domain configuration (List domains, List organization) during infrastructure provisioning or validation pipelines
Third-party SaaS connectors and monitoring platforms that enumerate Azure AD tenant domain details during onboarding or health monitoring
Domain registrars or managed DNS provider tools that perform routine WHOIS queries as part of domain portfolio management workflows

Splunk

spl

(`index=wineventlog` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3))
| eval CommandLine=coalesce(CommandLine, "")
| eval DestinationPort=coalesce(DestinationPort, 0)
| eval IsAADRecon=if(match(CommandLine, "(?i)(get-aadinttenantdomains|get-aadintlogininfo|get-aadinttenantdetails|invoke-aadintreconasoutsider|get-aadintcompanyinfo|aadinternals|get-aadinttenantid)"), 1, 0)
| eval IsO365Recon=if(match(CommandLine, "(?i)(getuserrealm|autodiscover.*microsoft|login\.microsoftonline\.com.*userrealm)"), 1, 0)
| eval IsWhoisTool=if(match(CommandLine, "(?i)(whois\.exe|get-whois|invoke-whois|whois\s+[a-z0-9])"), 1, 0)
| eval IsWhoisPort=if(EventCode=3 AND DestinationPort=43, 1, 0)
| eval IsWhoisSvc=if(EventCode=3 AND match(DestinationHostname, "(?i)(whois\.iana\.org|who\.is|whois\.domaintools\.com|whois\.verisign|rdap\.org|rdap\.arin\.net)"), 1, 0)
| eval SuspicionScore=IsAADRecon + IsO365Recon + IsWhoisTool + IsWhoisPort + IsWhoisSvc
| where SuspicionScore > 0
| eval DetectionType=case(
    IsAADRecon=1, "AADInternals_DomainRecon",
    IsO365Recon=1, "O365_API_DomainRecon",
    IsWhoisTool=1, "WHOIS_Tool_Execution",
    IsWhoisPort=1, "WHOIS_Protocol_Port43",
    IsWhoisSvc=1, "WHOIS_WebService_Access",
    true(), "Domain_Recon_Other"
)
| eval ImageOrProcess=coalesce(Image, "N/A")
| eval DestHost=coalesce(DestinationHostname, DestinationIp, "N/A")
| table _time, host, User, ImageOrProcess, CommandLine, DestHost, DestinationPort, DetectionType, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators performing legitimate WHOIS lookups to verify domain registrations, check expiry dates, or investigate abuse complaints
Security teams using AADInternals or similar tools for authorized red team exercises, tenant health checks, or identity posture assessments
DevOps/cloud automation scripts querying Azure AD domain configuration during infrastructure provisioning or validation pipelines
Network monitoring or ITSM tools that perform routine WHOIS queries as part of domain portfolio management workflows
Developers testing Azure AD or O365 integrations that call GetUserRealm or autodiscover endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestPort,
  username AS AccountName,
  UTF8(payload) AS RawPayload,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 105, 143, 260)
  AND (
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantdomains%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadintlogininfo%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantdetails%' OR
    LOWER(UTF8(payload)) LIKE '%invoke-aadintreconasoutsider%' OR
    LOWER(UTF8(payload)) LIKE '%aadinternals%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantid%' OR
    LOWER(UTF8(payload)) LIKE '%getuserrealm%' OR
    (
      LOWER(UTF8(payload)) LIKE '%autodiscover%' AND
      LOWER(UTF8(payload)) LIKE '%microsoft%'
    ) OR
    LOWER(UTF8(payload)) LIKE '%whois.exe%' OR
    LOWER(UTF8(payload)) LIKE '%get-whois%' OR
    LOWER(UTF8(payload)) LIKE '%invoke-whois%' OR
    destinationport = 43 OR
    LOWER(UTF8(payload)) LIKE '%whois.iana.org%' OR
    LOWER(UTF8(payload)) LIKE '%whois.domaintools.com%' OR
    LOWER(UTF8(payload)) LIKE '%rdap.org%' OR
    LOWER(UTF8(payload)) LIKE '%rdap.arin.net%' OR
    LOWER(UTF8(payload)) LIKE '%who.is%'
  )
LAST 24 HOURS
ORDER BY devicetime DESC

medium severity medium confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Security Event Log DSM (LOGSOURCETYPEID 12) Microsoft Sysmon DSM (LOGSOURCETYPEID 13) Microsoft Windows Event Log DSM (LOGSOURCETYPEID 105, 143, 260) QRadar Flow Processor (for port 43 network flows)

Required Tables

events

False Positives

Network asset management or IPAM tools performing scheduled WHOIS enrichment on observed IP ranges for ownership verification, route origin validation, or threat intelligence enrichment pipelines
Penetration testing teams or red team operators running authorized AADInternals reconnaissance against the organization's own Azure AD tenant within a documented and scoped engagement window
DNS filtering or web proxy appliances generating internal events containing WHOIS or RDAP hostnames when resolving domains during URL categorization or reputation lookup decisions

Sumo Logic CSE

sql

(_sourceCategory=*sysmon* OR _sourceCategory=*windows* OR _sourceCategory=*endpoint*)
| where EventCode=1 OR EventCode=3
| parse regex field=CommandLine "(?i)(?P<aad_cmd>Get-AADIntTenantDomains|Get-AADIntLoginInformation|Get-AADIntTenantDetails|Invoke-AADIntReconAsOutsider|AADInternals|Get-AADIntTenantID|Get-AADIntOpenIDConfiguration|Get-AADIntTenantDomainNames)" nodrop
| parse regex field=CommandLine "(?i)(?P<o365_cmd>GetUserRealm|autodiscover)" nodrop
| parse regex field=CommandLine "(?i)(?P<whois_cmd>whois\.exe|Get-Whois|Invoke-Whois)" nodrop
| parse regex field=DestinationHostname "(?i)(?P<whois_svc>whois\.iana\.org|who\.is|whois\.domaintools\.com|whois\.verisign|rdap\.org|rdap\.arin\.net|rdap\.verisign\.com)" nodrop
| where !isNull(aad_cmd) OR !isNull(o365_cmd) OR !isNull(whois_cmd) OR !isNull(whois_svc) OR (EventCode=3 AND DestinationPort=43)
| eval DetectionType = if(!isNull(aad_cmd), "AADInternals_DomainRecon",
    if(!isNull(o365_cmd), "O365_API_DomainRecon",
    if(!isNull(whois_cmd), "WHOIS_Tool_Execution",
    if(EventCode=3 AND DestinationPort=43, "WHOIS_Protocol_Port43",
    "WHOIS_WebService_Access"))))
| table _time, host, User, Image, CommandLine, DestinationHostname, DestinationPort, DetectionType
| sort by _time desc

medium severity high confidence

Data Sources

Sumo Logic Continuous Intelligence Platform Sysmon operational log via Sumo Logic Windows Installed Collector Windows Security Event Log via Sumo Logic Installed Collector

Required Tables

Sysmon event logs (_sourceCategory=*sysmon*) Windows Security logs (_sourceCategory=*windows*)

False Positives

IT helpdesk staff or domain administrators running WHOIS lookups from corporate workstations during phishing investigation, spam source analysis, or DNS troubleshooting workflows
Authorized identity governance tooling that calls O365 GetUserRealm or autodiscover endpoints to verify tenant configuration, test hybrid identity flows, or validate federation settings during maintenance windows
SOAR playbooks or SIEM enrichment pipelines that automatically query WHOIS or RDAP services to enrich IP or domain observables during automated alert triage, producing events from service account processes

Google Chronicle / SecOps

yaral

rule t1590_001_domain_properties_recon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1590.001 domain property reconnaissance via AADInternals, WHOIS tools, O365 public API abuse, and connections to WHOIS/RDAP services"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.001"
    severity = "MEDIUM"
    confidence = "HIGH"
    rule_version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line, `(?i)(Get-AADIntTenantDomains|Get-AADIntLoginInformation|Get-AADIntTenantDetails|Invoke-AADIntReconAsOutsider|Get-AADIntCompanyInformation|AADInternals|Get-AADIntTenantID|Get-AADIntOpenIDConfiguration|Get-AADIntTenantDomainNames)`) or
        re.regex($e.target.process.command_line, `(?i)GetUserRealm`) or
        (
          re.regex($e.target.process.command_line, `(?i)autodiscover`) and
          re.regex($e.target.process.command_line, `(?i)microsoft`)
        ) or
        re.regex($e.target.process.command_line, `(?i)(whois\.exe|Get-Whois|Invoke-Whois)`)
      )
    ) or
    (
      $e.metadata.event_type = "NETWORK_CONNECTION" and
      (
        $e.target.port = 43 or
        re.regex($e.target.hostname, `(?i)(whois\.iana\.org|who\.is|whois\.domaintools\.com|whois\.verisign-grs\.com|rdap\.org|rdap\.arin\.net|rdap\.verisign\.com)`)
      ) and
      not re.regex($e.principal.process.file.full_path, `(?i)(svchost\.exe$|lsass\.exe$|services\.exe$|MsMpEng\.exe$|SearchProtocolHost\.exe$)`)
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder with Windows Sysmon (PROCESS_LAUNCH, NETWORK_CONNECTION UDM event types) Chronicle native Azure AD ingestion (for supplementary identity context) EDR telemetry normalized to UDM (CrowdStrike, Carbon Black, SentinelOne Chronicle parsers)

Required Tables

UDM events (PROCESS_LAUNCH) UDM events (NETWORK_CONNECTION)

False Positives

Authorized Azure AD tenant administrators or identity governance platforms using AADInternals functions for legitimate tenant configuration auditing, license assignment review, or conditional access health checks under approved change tickets
Corporate internet proxies or DNS resolvers that contact WHOIS or RDAP endpoints as part of domain reputation lookups and URL categorization decisions, generating NETWORK_CONNECTION events from proxy process image paths
Purple team or red team exercises using AADInternals or O365 public API reconnaissance against the organization's own environment within a formally authorized and time-boxed scope of work

CrowdStrike LogScale (CQL)

cql

(#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6 OR #event_simpleName=DnsRequest)
| case {
    CommandLine = /(?i)(Get-AADIntTenantDomains|Get-AADIntLoginInformation|Get-AADIntTenantDetails|Invoke-AADIntReconAsOutsider|Get-AADIntCompanyInformation|AADInternals|Get-AADIntTenantID|Get-AADIntOpenIDConfiguration|Get-AADIntTenantDomainNames)/ |
      DetectionType := "AADInternals_DomainRecon" ;
    CommandLine = /(?i)(GetUserRealm|autodiscover.*microsoft|login\.microsoftonline\.com.*userrealm)/ |
      DetectionType := "O365_API_DomainRecon" ;
    CommandLine = /(?i)(whois\.exe|Get-Whois|Invoke-Whois)/ |
      DetectionType := "WHOIS_Tool_Execution" ;
    RemotePort = 43 |
      DetectionType := "WHOIS_Protocol_Port43" ;
    DomainName = /(?i)(whois\.iana\.org|who\.is|whois\.domaintools\.com|whois\.verisign|rdap\.org|rdap\.arin\.net|rdap\.verisign\.com)/ |
      DetectionType := "WHOIS_WebService_DNS" ;
    * | drop()
}
| not ImageFileName = /(?i)(svchost\.exe$|lsass\.exe$|services\.exe$|MsMpEng\.exe$|SearchProtocolHost\.exe$)/
| table(@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort, DomainName, DetectionType)
| sort(@timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection platform Falcon LogScale (Humio) — Falcon telemetry repository CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale

Required Tables

ProcessRollup2 SyntheticProcessRollup2 NetworkConnectIP4 NetworkConnectIP6 DnsRequest

False Positives

Threat intelligence or SOAR platforms that automatically enrich observables by querying WHOIS or RDAP APIs, generating DnsRequest or NetworkConnect events from automated service account processes on analyst workstations or SOAR nodes
IT operations staff using the AADInternals PowerShell module for authorized Azure AD license management, user provisioning audits, or tenant configuration health checks approved through the change management process
Browser sessions on analyst or developer workstations accessing web-based WHOIS lookup tools such as who.is or domaintools.com during routine phishing domain or IP investigation tasks, generating DNS and network events from browser processes

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.002DNS T1590.003Network Trust Dependencies T1590.004Network Topology T1590.005IP Addresses T1590.006Network Security Appliances

Domain Properties

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections