T1592.002
Software
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include types and versions on specific hosts, as well as the presence of additional components indicative of defensive protections such as antivirus solutions or SIEMs. Adversaries gather this information via active scanning (banner grabbing, port scanning, HTTP probing for version-revealing endpoints), phishing for information, or by compromising websites to inject JavaScript fingerprinting scripts that collect visitor browser and plugin data. Additionally, adversaries analyze metadata from victim-owned files (PDFs, Office documents, images) hosted on public websites to extract software version information, which can be cross-referenced with known CVEs to identify exploitable attack vectors.
Microsoft Sentinel / Defender
kusto
let ScannerUserAgents = dynamic([
"Nmap", "masscan", "ZGrab", "zgrab", "nuclei", "Nikto", "sqlmap",
"WPScan", "wpscan", "Gobuster", "gobuster", "dirbuster", "feroxbuster",
"WhatWeb", "whatweb", "Wappalyzer", "wappalyzer", "Shodan",
"python-requests", "Go-http-client", "libwww-perl", "curl/7",
"HTTPie", "Wget", "Scanner", "zgrab2"
]);
let VersionProbePaths = dynamic([
"/.git/", "/.svn/", "/.hg/",
"/phpinfo.php", "/phpinfo",
"/wp-login.php", "/wp-admin/", "/wp-includes/", "/readme.html", "/license.txt",
"/CHANGELOG", "/CHANGELOG.md", "/CHANGELOG.txt",
"/composer.json", "/package.json", "/package-lock.json",
"/.env", "/.env.bak", "/.env.local",
"/config.php", "/config.inc.php", "/configuration.php",
"/server-status", "/server-info",
"/actuator", "/actuator/env", "/actuator/info", "/actuator/health", "/actuator/mappings",
"/api/version", "/version", "/version.txt", "/version.json",
"/admin/version", "/api/v1/version",
"/web.config", "/web.xml", "/WEB-INF/web.xml",
"/crossdomain.xml", "/clientaccesspolicy.xml",
"/jmx-console", "/manager/html", "/host-manager/html",
"/elmah.axd", "/trace.axd",
"/_profiler", "/symfony_profiler"
]);
union isfuzzy=true
(
W3CIISLog
| where TimeGenerated > ago(24h)
| where isnotempty(cIP)
| extend IsScanner = csUserAgent has_any (ScannerUserAgents)
| extend IsVersionProbe = csUriStem has_any (VersionProbePaths)
| where IsScanner or IsVersionProbe
| project TimeGenerated, SourceIP=cIP, UserAgent=csUserAgent,
RequestedPath=csUriStem, Method=csMethod,
StatusCode=scStatus, BytesSent=scBytes,
IsScanner, IsVersionProbe, Source="IIS"
),
(
AppServiceHTTPLogs
| where TimeGenerated > ago(24h)
| where isnotempty(CIp)
| extend IsScanner = UserAgent has_any (ScannerUserAgents)
| extend IsVersionProbe = CsUriStem has_any (VersionProbePaths)
| where IsScanner or IsVersionProbe
| project TimeGenerated, SourceIP=CIp, UserAgent,
RequestedPath=CsUriStem, Method=CsMethod,
StatusCode=ScStatus, BytesSent=ScBytes,
IsScanner, IsVersionProbe, Source="AppService"
),
(
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceEventCategory in ("Web Attack", "Scan", "Reconnaissance", "Policy")
or Activity has_any ("scan", "probe", "fingerprint", "enumerat")
| where RequestURL has_any (VersionProbePaths)
or SourceUserName has_any (ScannerUserAgents)
or RequestClientApplication has_any (ScannerUserAgents)
| extend IsScanner = RequestClientApplication has_any (ScannerUserAgents)
| extend IsVersionProbe = RequestURL has_any (VersionProbePaths)
| project TimeGenerated, SourceIP, UserAgent=RequestClientApplication,
RequestedPath=RequestURL, Method=RequestMethod,
StatusCode=EventOutcome,
IsScanner, IsVersionProbe, Source=DeviceVendor
)
| summarize
RequestCount = count(),
UniquePaths = dcount(RequestedPath),
Paths = make_set(RequestedPath, 30),
StatusCodes = make_set(StatusCode),
Methods = make_set(Method),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SourceIP, UserAgent, IsScanner, IsVersionProbe, Source
| where RequestCount > 5 or UniquePaths > 3
| extend ScannerScore = toint(IsScanner) + iff(UniquePaths > 10, 2, iff(UniquePaths > 5, 1, 0))
| sort by ScannerScore desc, RequestCount desc low severity
medium confidence
Data Sources
Network Traffic: Network Traffic Content Application Log: Application Log Content W3CIISLog AppServiceHTTPLogs CommonSecurityLog
Required Tables
W3CIISLog AppServiceHTTPLogs CommonSecurityLog
False Positives
- Legitimate vulnerability scanners operated by internal security teams or authorized third-party penetration testers
- Commercial security rating services (SecurityScorecard, BitSight, Bitsight) that continuously probe public-facing infrastructure
- Uptime monitoring and synthetic transaction services (Pingdom, UptimeRobot, Datadog Synthetics) using identifiable user-agents
- Search engine crawlers (Googlebot, Bingbot) accessing robots.txt, sitemap.xml, and publicly documented paths
- Web application testing during SDLC pipelines where developers run automated scans in staging environments mirroring production
Last updated: 2026-03-13 Research depth: deep
References (10)
- https://attack.mitre.org/techniques/T1592/002/
- https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
- https://outpost24.com/blog/metadata-hackers-best-friend/
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/iis-logs
- https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsIISlogs
- https://github.com/projectdiscovery/nuclei-templates/tree/main/technologies
- https://nmap.org/book/man-version-detection.html
- https://github.com/urbanadventurer/WhatWeb
Unlock Pro Content
Get the full detection package for T1592.002 including response playbook, investigation guide, and atomic red team tests.
Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance