Detect Determine Physical Locations in Splunk
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. Adversaries may gather this information via direct elicitation through phishing for information, by searching victim-owned websites, or by leveraging publicly accessible data sets such as SEC EDGAR filings, WHOIS registration records, and social media. This reconnaissance technique is largely external to the victim environment, making direct detection extremely limited. Observable signals include automated scraping of organization-owned web properties, OSINT tool execution on managed endpoints, and email-based location elicitation attempts.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1591 Gather Victim Org Information
- Sub-technique
- T1591.001 Determine Physical Locations
- Canonical reference
- https://attack.mitre.org/techniques/T1591/001/
SPL Detection Query
| multisearch
[search index=web (sourcetype=access_combined OR sourcetype=iis OR sourcetype=apache_access)
(uri_path="*/contact*" OR uri_path="*/about*" OR uri_path="*/locations*" OR uri_path="*/offices*"
OR uri_path="*/headquarters*" OR uri_path="*/find-us*" OR uri_path="*/branches*" OR uri_path="*/our-locations*")
(useragent="*python-requests*" OR useragent="*scrapy*" OR useragent="*wget*" OR useragent="*curl*"
OR useragent="*theHarvester*" OR useragent="*recon-ng*" OR useragent="*HTTrack*" OR useragent="-" OR useragent="")
| eval detection_source="WebLog_LocationScraping"
| eval target_url=uri_path, source_addr=src_ip, tool_indicator=useragent, host_context=host]
[search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\theHarvester.exe" OR Image="*\\theHarvester" OR Image="*\\recon-ng" OR Image="*\\maltego*"
OR Image="*\\spiderfoot*" OR Image="*\\metagoofil*"
OR ((Image="*\\python.exe" OR Image="*\\python3.exe")
AND (CommandLine="*theHarvester*" OR CommandLine="*recon-ng*" OR CommandLine="*spiderfoot*" OR CommandLine="*metagoofil*")))
| eval detection_source="Endpoint_OsintTool"
| eval target_url=CommandLine, source_addr=host, tool_indicator=Image, host_context=host]
| stats
count as EventCount,
dc(target_url) as UniqueTargets,
earliest(_time) as FirstSeen,
latest(_time) as LastSeen,
values(target_url) as TargetURLs,
values(tool_indicator) as ToolIndicators
by source_addr, detection_source, host_context
| where EventCount > 10 OR UniqueTargets > 3
| eval RiskScore=case(EventCount > 100, 90, EventCount > 50, 70, EventCount > 20, 50, 30)
| table FirstSeen, LastSeen, detection_source, source_addr, host_context, EventCount, UniqueTargets, TargetURLs, ToolIndicators, RiskScore
| sort - RiskScoreDetects physical location reconnaissance via two parallel search branches using Splunk multisearch. The first branch analyzes web server access logs (Combined Log Format, IIS, Apache) for automated requests to location and contact pages with suspicious or empty user agents. The second branch uses Sysmon Event ID 1 to detect OSINT tools (theHarvester, recon-ng, Maltego, SpiderFoot, Metagoofil) executing on managed Windows endpoints. Results are aggregated by source address and detection source, with a risk score based on event volume to help analysts prioritize.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate web crawlers and search engine bots with missing or minimal user agent strings accessing public contact and location pages — build an allowlist of known crawler IP ranges
- Authorized red team or penetration testing engagements where OSINT tools are executed on managed endpoints — correlate detections against active pentest scope documents
- IT asset management or network monitoring tools that query company website location pages as part of content availability or uptime verification workflows
- Security awareness training platforms that simulate phishing or reconnaissance activity on managed endpoints as part of employee training exercises
Other platforms for T1591.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1theHarvester Domain Reconnaissance for Physical Location Data
Expected signal: Auditd syscall: execve() for 'theharvester' binary with -d and -b arguments. Sysmon for Linux Event ID 1 (if deployed): Image=theharvester, CommandLine contains '-d example.com -b google,bing,linkedin'. DNS queries: multiple resolution requests for subdomains of example.com. Network connections: outbound HTTPS (port 443) to Google, Bing, and LinkedIn APIs. File creation: /tmp/argus_location_recon.html and .xml output files.
- Test 2recon-ng Physical Location Module Execution
Expected signal: Process creation: recon-ng process with -w workspace and -C command arguments. Network connections: outbound HTTPS to whois servers and the recon-ng module data sources. File creation: ~/.recon-ng/workspaces/argus_test_workspace/ directory and data.db SQLite database. DNS queries for whois server hostnames.
- Test 3Automated HTTP Scraping of Organizational Location Pages
Expected signal: Web server access log entries: Multiple requests from 127.0.0.1 with UserAgent='python-requests/2.28.2' targeting /contact, /about, /locations, /offices, /headquarters, /find-us, /branches, /our-locations in rapid succession. Process creation (Sysmon Event ID 1): python3 process with inline script. Network connections (Sysmon Event ID 3): python3 to localhost:8080. UniqueURLs=8 exceeds the detection threshold of 4.
- Test 4WHOIS Registration Data Physical Address Extraction
Expected signal: Process creation: whois binary executed three times (one per domain), visible in Sysmon Event ID 1 with FileName=whois and domain argument in CommandLine. Network connections (Sysmon Event ID 3): TCP connections to port 43 (WHOIS protocol) to whois.iana.org, whois.verisign-grs.com, and registrar-specific WHOIS servers. DNS queries (Sysmon Event ID 22) for WHOIS server hostnames. Shell history: whois commands preserved in ~/.bash_history.
- Test 5SEC EDGAR Filing Search for Physical Address Disclosure
Expected signal: Process creation (Sysmon Event ID 1): curl execution with EDGAR URL as argument, FileName=curl. DNS query (Sysmon Event ID 22): efts.sec.gov DNS resolution from internal endpoint. Network connection (Sysmon Event ID 3): outbound HTTPS (port 443) to SEC EDGAR servers. File creation (Sysmon Event ID 11): /tmp/edgar_location_results.json. Shell history: curl command with EDGAR URL preserved.
References (12)
- https://attack.mitre.org/techniques/T1591/001/
- https://attack.mitre.org/techniques/T1591/
- https://www.sec.gov/edgar/search/
- https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
- https://blog.google/threat-analysis-group/iranian-backed-threat-actor-techniques/
- https://github.com/laramies/theHarvester
- https://github.com/lanmaster53/recon-ng
- https://github.com/smicallef/spiderfoot
- https://www.maltego.com/
- https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-emailevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Multisearch
Unlock Pro Content
Get the full detection package for T1591.001 including response playbook, investigation guide, and atomic red team tests.