T1591.001 Determine Physical Locations Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Branch 1: Detect automated scraping of location/contact pages via WAF/proxy logs (CommonSecurityLog)
let LocationPagePatterns = dynamic(["/contact", "/about", "/locations", "/offices", "/headquarters", "/find-us", "/branches", "/our-locations", "/office-locations", "/where-we-are"]);
let SuspiciousAgents = dynamic(["python-requests", "go-http-client", "curl/", "wget/", "Scrapy", "theHarvester", "recon-ng", "HTTrack", "WebCopier", "libwww-perl", "mechanize", "python-urllib"]);
let WebScrapingAlerts = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestURL has_any (LocationPagePatterns)
| where UserAgent has_any (SuspiciousAgents)
    or UserAgent matches regex @"(?i)(bot|spider|crawler|scraper|scanner|harvest)"
    or isempty(UserAgent)
| summarize
    RequestCount = count(),
    UniqueURLs = dcount(RequestURL),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SampleURLs = make_set(RequestURL, 5),
    SampleAgents = make_set(UserAgent, 3)
  by SourceIP, DeviceName
| where RequestCount > 15 or UniqueURLs > 4
| extend DetectionSource = "WAF_LocationScraping"
| extend DeviceName2 = DeviceName, AccountName2 = "", FileName2 = "", ProcessCommandLine2 = "";
// Branch 2: OSINT tools for physical location gathering on managed endpoints
let OsintToolAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("theHarvester", "recon-ng", "maltego", "spiderfoot", "metagoofil", "datasploit")
    or (FileName in~ ("python.exe", "python3.exe", "python")
        and ProcessCommandLine has_any ("theHarvester", "recon-ng", "harvester", "spiderfoot", "metagoofil"))
    or (FileName in~ ("cmd.exe", "powershell.exe")
        and ProcessCommandLine has_all ("whois", "-d"))
| extend
    RequestCount = int(null),
    UniqueURLs = int(null),
    FirstSeen = Timestamp,
    LastSeen = Timestamp,
    SampleURLs = dynamic([]),
    SampleAgents = dynamic([])
| extend DetectionSource = "Endpoint_OsintTool"
| extend DeviceName2 = DeviceName, AccountName2 = AccountName, FileName2 = FileName, ProcessCommandLine2 = ProcessCommandLine;
WebScrapingAlerts
| union OsintToolAlerts
| project DetectionSource, FirstSeen, LastSeen, DeviceName2, AccountName2, FileName2, ProcessCommandLine2, SourceIP, RequestCount, UniqueURLs, SampleURLs, SampleAgents
| sort by FirstSeen desc

low severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Process: Process Creation Command: Command Execution

Required Tables

CommonSecurityLog DeviceProcessEvents

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) accessing public location pages — filter by known good crawler IP ranges published by Google and Microsoft
Internal IT security teams or authorized penetration testers executing OSINT tools on managed endpoints during sanctioned assessments — correlate against approved change tickets
Marketing or business development teams using web scraping tools for competitive intelligence or market research — verify user account context and business justification
Website uptime monitoring and accessibility checking services (UptimeRobot, Pingdom, StatusCake) that regularly access contact/about pages to verify availability

Splunk

spl

| multisearch
  [search index=web (sourcetype=access_combined OR sourcetype=iis OR sourcetype=apache_access)
    (uri_path="*/contact*" OR uri_path="*/about*" OR uri_path="*/locations*" OR uri_path="*/offices*"
     OR uri_path="*/headquarters*" OR uri_path="*/find-us*" OR uri_path="*/branches*" OR uri_path="*/our-locations*")
    (useragent="*python-requests*" OR useragent="*scrapy*" OR useragent="*wget*" OR useragent="*curl*"
     OR useragent="*theHarvester*" OR useragent="*recon-ng*" OR useragent="*HTTrack*" OR useragent="-" OR useragent="")
  | eval detection_source="WebLog_LocationScraping"
  | eval target_url=uri_path, source_addr=src_ip, tool_indicator=useragent, host_context=host]
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\theHarvester.exe" OR Image="*\\theHarvester" OR Image="*\\recon-ng" OR Image="*\\maltego*"
     OR Image="*\\spiderfoot*" OR Image="*\\metagoofil*"
     OR ((Image="*\\python.exe" OR Image="*\\python3.exe")
         AND (CommandLine="*theHarvester*" OR CommandLine="*recon-ng*" OR CommandLine="*spiderfoot*" OR CommandLine="*metagoofil*")))
  | eval detection_source="Endpoint_OsintTool"
  | eval target_url=CommandLine, source_addr=host, tool_indicator=Image, host_context=host]
| stats
    count as EventCount,
    dc(target_url) as UniqueTargets,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen,
    values(target_url) as TargetURLs,
    values(tool_indicator) as ToolIndicators
  by source_addr, detection_source, host_context
| where EventCount > 10 OR UniqueTargets > 3
| eval RiskScore=case(EventCount > 100, 90, EventCount > 50, 70, EventCount > 20, 50, 30)
| table FirstSeen, LastSeen, detection_source, source_addr, host_context, EventCount, UniqueTargets, TargetURLs, ToolIndicators, RiskScore
| sort - RiskScore

low severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

access_combined iis XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate web crawlers and search engine bots with missing or minimal user agent strings accessing public contact and location pages — build an allowlist of known crawler IP ranges
Authorized red team or penetration testing engagements where OSINT tools are executed on managed endpoints — correlate detections against active pentest scope documents
IT asset management or network monitoring tools that query company website location pages as part of content availability or uptime verification workflows
Security awareness training platforms that simulate phishing or reconnaissance activity on managed endpoints as part of employee training exercises

Elastic Security (EQL)

eql

process where event.type == "start"
  and (process.name : ("theHarvester*", "maltego*", "recon-ng*", "spiderfoot*", "osrframework*")
   or process.command_line : ("*linkedin*", "*whois*", "*shodan*", "*hunter.io*"))

low severity low confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Security awareness teams researching employee exposure for training purposes
Authorized OSINT assessments by internal red teams or security consultants
HR or marketing teams performing routine competitive intelligence research
Recruiters using LinkedIn and similar platforms for talent research

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

low severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs Network flow data

Required Tables

events

False Positives

Security awareness teams conducting authorized employee exposure research
Authorized red team OSINT assessments
HR or marketing teams performing competitive intelligence research
Recruiters using professional networks for talent research

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
   or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
    if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
    if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
    if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

low severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized OSINT assessments by internal red teams
HR and talent acquisition teams using professional networking tools
Marketing teams conducting authorized competitive intelligence research
Security awareness programs researching employee exposure footprint

Google Chronicle / SecOps

yaral

rule T1591_001_recon_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of reconnaissance and OSINT tools"
    severity = "low"
    confidence = "low"
    mitre_attack = "T1591.001"
    reference = "https://attack.mitre.org/techniques/T1591/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
      re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
    )

  condition:
    $e
}

low severity low confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

PROCESS_LAUNCH DNS

False Positives

Authorized OSINT assessments by internal red teams or security consultants
HR teams using professional networking platforms for talent acquisition
Marketing teams conducting authorized competitive intelligence research
Security awareness teams assessing employee digital footprint for training

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)/
  OR CommandLine = /(?i)(\-sV\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan|\-O\s)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(nmap|masscan|zmap)/ => ToolCategory := "Port Scanner"; RiskScore := "High";
    ImageFileName = /(?i)(theharvester|spiderfoot)/ => ToolCategory := "OSINT Harvester"; RiskScore := "Medium";
    ImageFileName = /(?i)(nikto)/ => ToolCategory := "Web Scanner"; RiskScore := "High";
    * => ToolCategory := "Recon Tool"; RiskScore := "Medium";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

low severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Internal red teams conducting authorized OSINT and social engineering assessments
HR and talent teams using professional platforms for legitimate recruiting activity
Marketing teams gathering authorized competitive intelligence data
Security programs assessing digital footprint exposure for awareness training

Determine Physical Locations

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections