T1590.001 Microsoft Sentinel · KQL

Detect Domain Properties in Microsoft Sentinel

Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (name, registrar, etc.) and more directly actionable information such as contacts, business addresses, and name servers. Adversaries gather this information via direct collection (WHOIS queries, DNS enumeration), passive data sets, or by querying publicly accessible API endpoints such as Microsoft's GetUserRealm and autodiscover APIs in Office 365/Azure environments. Tools such as AADInternals leverage these public APIs to enumerate tenant domain details, federation configuration, and company metadata — all without authenticating to the target environment.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.001 Domain Properties
Canonical reference
https://attack.mitre.org/techniques/T1590/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let AADReconPatterns = dynamic([
    "Get-AADIntTenantDomains", "Get-AADIntLoginInformation", "Get-AADIntTenantDetails",
    "Invoke-AADIntReconAsOutsider", "Get-AADIntCompanyInformation", "Get-AADIntTenantID",
    "Get-AADIntOpenIDConfiguration", "Get-AADIntTenantDomainNames", "AADInternals"
]);
let WhoisToolPatterns = dynamic([
    "whois.exe", "whois ", "Get-Whois", "Invoke-Whois"
]);
let WhoisServiceDomains = dynamic([
    "whois.iana.org", "who.is", "whois.domaintools.com", "whois.verisign-grs.com",
    "whois.networksolutions.com", "rdap.org", "rdap.arin.net", "rdap.verisign.com"
]);
// Detection 1: AADInternals module execution or O365 domain recon via PowerShell
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (AADReconPatterns)
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "GetUserRealm")
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "autodiscover" and ProcessCommandLine has "microsoft")
    or ProcessCommandLine has_any (WhoisToolPatterns)
| extend DetectionType = case(
    ProcessCommandLine has_any (AADReconPatterns), "AADInternals_DomainRecon",
    ProcessCommandLine has "GetUserRealm", "O365_GetUserRealm_Recon",
    ProcessCommandLine has "autodiscover", "Autodiscover_DomainEnum",
    "WHOIS_Tool_Execution"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: WHOIS protocol connections (TCP port 43) or connections to known WHOIS web services
let WhoisConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where (RemotePort == 43)
    or (RemoteUrl has_any (WhoisServiceDomains))
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe", "SearchProtocolHost.exe", "MsMpEng.exe")
| extend DetectionType = case(
    RemotePort == 43, "WHOIS_Protocol_Port43",
    "WHOIS_WebService_Access"
)
| project Timestamp, DeviceName,
         AccountName=InitiatingProcessAccountName,
         FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine,
         InitiatingProcessFileName,
         RemoteUrl, RemoteIP, RemotePort, DetectionType;
// Detection 3: Azure AD audit events for domain enumeration operations
let AzureDomainEnum = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in ("List domains", "Get domain", "Verify domain",
                          "List company information", "Get company information",
                          "List tenantDetails", "List organization")
| where Result == "success"
| extend InitiatedByUser = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatedByApp = tostring(InitiatedBy.app.displayName)
| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend DetectionType = "AzureAD_DomainEnumeration"
| project Timestamp=TimeGenerated, DeviceName="AzureAD",
         AccountName=coalesce(InitiatedByUser, InitiatedByApp),
         FileName=InitiatedByApp, ProcessCommandLine=OperationName,
         InitiatingProcessFileName=IPAddress, DetectionType;
union ToolExecution, WhoisConnections, AzureDomainEnum
| sort by Timestamp desc
medium severity medium confidence

Detects domain property reconnaissance using three complementary signals: (1) execution of AADInternals PowerShell module commands or direct O365 API recon patterns (GetUserRealm, autodiscover) captured via DeviceProcessEvents; (2) outbound network connections on TCP port 43 (WHOIS protocol) or to known WHOIS web services captured via DeviceNetworkEvents; (3) Azure AD audit log events for domain enumeration operations such as List domains and Get company information. The union of all three sources provides broad coverage across the pre-attack reconnaissance lifecycle.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationApplication Log: Application Log ContentMicrosoft Defender for EndpointAzure Active Directory Audit Logs

Required Tables

DeviceProcessEventsDeviceNetworkEventsAuditLogs

False Positives & Tuning

  • IT administrators performing legitimate WHOIS lookups to verify domain registrations, check expiry dates, or investigate abuse complaints
  • Security teams using AADInternals or similar tools for authorized red team exercises, tenant health checks, or identity posture assessments
  • DevOps/cloud automation scripts querying Azure AD domain configuration (List domains, List organization) during infrastructure provisioning or validation pipelines
  • Third-party SaaS connectors and monitoring platforms that enumerate Azure AD tenant domain details during onboarding or health monitoring
  • Domain registrars or managed DNS provider tools that perform routine WHOIS queries as part of domain portfolio management workflows
Download portable Sigma rule (.yml)

Other platforms for T1590.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AADInternals Tenant Domain Reconnaissance

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-AADIntLoginInformation' and 'AADInternals'. PowerShell ScriptBlock Log Event ID 4104 with the full module import and command. Sysmon Event ID 3: Network connection from powershell.exe to login.microsoftonline.com (port 443). Azure AD Audit Logs may show GetUserRealm API access from the source IP.

  2. Test 2WHOIS Protocol Query via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'TcpClient' and 'whois.iana.org' and port 43. Sysmon Event ID 3: Network Connection from powershell.exe to whois.iana.org on DestinationPort 43. Security Event ID 4688 (if command line auditing enabled).

  3. Test 3Azure AD Domain List Enumeration via Graph API

    Expected signal: Sysmon Event ID 1: Process Create for az.cmd or python.exe (Azure CLI) with CommandLine containing 'graph.microsoft.com' and 'domains'. Sysmon Event ID 3: Network connection from the Azure CLI process to graph.microsoft.com on port 443. Azure AD Audit Logs: OperationName='List domains' with the initiating user, IP address, and application 'Microsoft Azure CLI'.

  4. Test 4AADInternals External Tenant Reconnaissance (Outsider Mode)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-AADIntReconAsOutsider' and 'AADInternals'. PowerShell ScriptBlock Log Event ID 4104 with the full function invocation. Multiple Sysmon Event ID 3 records: outbound HTTPS connections to login.microsoftonline.com, autodiscover.microsoft.com, and related Microsoft identity endpoints. Azure AD Audit Logs may record the GetUserRealm API calls with source IP.

  5. Test 5Bulk DNS Record Enumeration for Domain Mapping

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and multiple DNS record types. Sysmon Event ID 22 (DNS Query): multiple DNS queries for the target domain with QueryType values MX, NS, TXT, SOA. Windows DNS Client Event Log (Microsoft-Windows-DNS-Client/Operational): corresponding DNS resolution events.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1590.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.002DNST1590.005IP AddressesT1596.002WHOIST1596.001DNS/Passive DNST1596.003Digital CertificatesT1594Search Victim-Owned WebsitesT1583.001DomainsT1584.001Compromise Infrastructure: DomainsT1566PhishingT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections