Which SIEM platforms have a T1590.001 detection rule?

df00tech provides T1590.001 (Domain Properties) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Domain Properties (T1590.001)?

Detecting Domain Properties requires the following data sources: Process: Process Creation, Network Traffic: Network Connection Creation, Application Log: Application Log Content, Microsoft Defender for Endpoint, Azure Active Directory Audit Logs.

What severity and confidence is the T1590.001 detection?

The T1590.001 detection is rated medium severity with medium confidence.

What are common false positives for T1590.001?

Common false positives for T1590.001 include: IT administrators performing legitimate WHOIS lookups to verify domain registrations, check expiry dates, or investigate abuse complaints; Security teams using AADInternals or similar tools for authorized red team exercises, tenant health checks, or identity posture assessments; DevOps/cloud automation scripts querying Azure AD domain configuration (List domains, List organization) during infrastructure provisioning or validation pipelines.

T1590.001 IBM QRadar · QRadar

Detect Domain Properties in IBM QRadar

Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (name, registrar, etc.) and more directly actionable information such as contacts, business addresses, and name servers. Adversaries gather this information via direct collection (WHOIS queries, DNS enumeration), passive data sets, or by querying publicly accessible API endpoints such as Microsoft's GetUserRealm and autodiscover APIs in Office 365/Azure environments. Tools such as AADInternals leverage these public APIs to enumerate tenant domain details, federation configuration, and company metadata — all without authenticating to the target environment.

MITRE ATT&CK

Tactic: Reconnaissance
Technique: T1590 Gather Victim Network Information
Sub-technique: T1590.001 Domain Properties
Canonical reference: https://attack.mitre.org/techniques/T1590/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestPort,
  username AS AccountName,
  UTF8(payload) AS RawPayload,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 105, 143, 260)
  AND (
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantdomains%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadintlogininfo%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantdetails%' OR
    LOWER(UTF8(payload)) LIKE '%invoke-aadintreconasoutsider%' OR
    LOWER(UTF8(payload)) LIKE '%aadinternals%' OR
    LOWER(UTF8(payload)) LIKE '%get-aadinttenantid%' OR
    LOWER(UTF8(payload)) LIKE '%getuserrealm%' OR
    (
      LOWER(UTF8(payload)) LIKE '%autodiscover%' AND
      LOWER(UTF8(payload)) LIKE '%microsoft%'
    ) OR
    LOWER(UTF8(payload)) LIKE '%whois.exe%' OR
    LOWER(UTF8(payload)) LIKE '%get-whois%' OR
    LOWER(UTF8(payload)) LIKE '%invoke-whois%' OR
    destinationport = 43 OR
    LOWER(UTF8(payload)) LIKE '%whois.iana.org%' OR
    LOWER(UTF8(payload)) LIKE '%whois.domaintools.com%' OR
    LOWER(UTF8(payload)) LIKE '%rdap.org%' OR
    LOWER(UTF8(payload)) LIKE '%rdap.arin.net%' OR
    LOWER(UTF8(payload)) LIKE '%who.is%'
  )
LAST 24 HOURS
ORDER BY devicetime DESC

medium severity medium confidence

IBM QRadar AQL query detecting domain property reconnaissance by searching raw event payloads from Windows Security, Sysmon, and Windows Event Log sources for AADInternals cmdlet strings, O365 public API patterns, WHOIS tool invocations, and known WHOIS/RDAP service domain substrings. Also triggers on network flows with destination port 43 (WHOIS protocol). LOGSOURCETYPEID values cover Microsoft Windows Security (12), Sysmon DSM (13), Microsoft Windows (105, 143, 260) — verify exact IDs for your QRadar deployment and DSM pack versions.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSM (LOGSOURCETYPEID 12)Microsoft Sysmon DSM (LOGSOURCETYPEID 13)Microsoft Windows Event Log DSM (LOGSOURCETYPEID 105, 143, 260)QRadar Flow Processor (for port 43 network flows)

Required Tables

events

False Positives & Tuning

Network asset management or IPAM tools performing scheduled WHOIS enrichment on observed IP ranges for ownership verification, route origin validation, or threat intelligence enrichment pipelines
Penetration testing teams or red team operators running authorized AADInternals reconnaissance against the organization's own Azure AD tenant within a documented and scoped engagement window
DNS filtering or web proxy appliances generating internal events containing WHOIS or RDAP hostnames when resolving domains during URL categorization or reputation lookup decisions

Download portable Sigma rule (.yml)

Other platforms for T1590.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AADInternals Tenant Domain Reconnaissance
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-AADIntLoginInformation' and 'AADInternals'. PowerShell ScriptBlock Log Event ID 4104 with the full module import and command. Sysmon Event ID 3: Network connection from powershell.exe to login.microsoftonline.com (port 443). Azure AD Audit Logs may show GetUserRealm API access from the source IP.
Test 2WHOIS Protocol Query via PowerShell
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'TcpClient' and 'whois.iana.org' and port 43. Sysmon Event ID 3: Network Connection from powershell.exe to whois.iana.org on DestinationPort 43. Security Event ID 4688 (if command line auditing enabled).
Test 3Azure AD Domain List Enumeration via Graph API
Expected signal: Sysmon Event ID 1: Process Create for az.cmd or python.exe (Azure CLI) with CommandLine containing 'graph.microsoft.com' and 'domains'. Sysmon Event ID 3: Network connection from the Azure CLI process to graph.microsoft.com on port 443. Azure AD Audit Logs: OperationName='List domains' with the initiating user, IP address, and application 'Microsoft Azure CLI'.
Test 4AADInternals External Tenant Reconnaissance (Outsider Mode)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-AADIntReconAsOutsider' and 'AADInternals'. PowerShell ScriptBlock Log Event ID 4104 with the full function invocation. Multiple Sysmon Event ID 3 records: outbound HTTPS connections to login.microsoftonline.com, autodiscover.microsoft.com, and related Microsoft identity endpoints. Azure AD Audit Logs may record the GetUserRealm API calls with source IP.
Test 5Bulk DNS Record Enumeration for Domain Mapping
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and multiple DNS record types. Sysmon Event ID 22 (DNS Query): multiple DNS queries for the target domain with QueryType values MX, NS, TXT, SOA. Windows DNS Client Event Log (Microsoft-Windows-DNS-Client/Operational): corresponding DNS resolution events.

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Domain Properties in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1590.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1590.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox