Detect Software in Elastic Security
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include types and versions on specific hosts, as well as the presence of additional components indicative of defensive protections such as antivirus solutions or SIEMs. Adversaries gather this information via active scanning (banner grabbing, port scanning, HTTP probing for version-revealing endpoints), phishing for information, or by compromising websites to inject JavaScript fingerprinting scripts that collect visitor browser and plugin data. Additionally, adversaries analyze metadata from victim-owned files (PDFs, Office documents, images) hosted on public websites to extract software version information, which can be cross-referenced with known CVEs to identify exploitable attack vectors.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1592 Gather Victim Host Information
- Sub-technique
- T1592.002 Software
- Canonical reference
- https://attack.mitre.org/techniques/T1592/002/
Elastic Detection Query
// T1592.002 — Software Fingerprinting
any where event.dataset : ("iis.access", "apache_http_server.access")
and (user_agent.original : ("Nmap*", "masscan*", "zgrab*", "nuclei*", "nikto*",
"WPScan*", "whatweb*", "Wappalyzer*", "python-requests*", "Go-http-client*")
or url.path : ("/.git/*", "/phpinfo.php", "/wp-login.php", "/wp-admin/*",
"/actuator/*", "/api/version", "/.env", "/server-status", "/CHANGELOG*"))Elastic EQL detection for Software (T1592.002). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate vulnerability scanners operated by internal security teams or authorized third-party penetration testers
- Commercial security rating services (SecurityScorecard, BitSight, Bitsight) that continuously probe public-facing infrastructure
- Uptime monitoring and synthetic transaction services (Pingdom, UptimeRobot, Datadog Synthetics) using identifiable user-agents
- Search engine crawlers (Googlebot, Bingbot) accessing robots.txt, sitemap.xml, and publicly documented paths
Other platforms for T1592.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WhatWeb Technology Fingerprinting Against Test Target
Expected signal: Web server access logs will show GET requests from the scanning host with WhatWeb user-agent string to various version-revealing paths. Linux audit logs (if auditd configured with network syscall rules) may capture the outbound connections. Sysmon for Linux Event ID 3 (network connection) if deployed.
- Test 2Nmap Service and Version Detection Scan
Expected signal: IDS/IPS logs showing TCP SYN packets and Nmap probe payloads to target ports. Web server access logs showing requests to HTTP services with Nmap user-agent strings. Network flow data showing port scan pattern (multiple ports from single source in rapid succession).
- Test 3curl-based Version-Revealing Endpoint Enumeration
Expected signal: Web server access logs showing sequential GET requests to version-revealing paths from the same source IP within seconds of each other. Response codes and byte sizes reveal which endpoints returned content (200 with non-zero size indicates successful disclosure).
- Test 4ExifTool Document Metadata Extraction
Expected signal: Linux audit logs or Sysmon for Linux will capture the curl network connection and ExifTool process execution. No victim-side telemetry is generated for this technique — the adversary operates entirely from their own system against publicly accessible files.
- Test 5Nuclei Technology Detection Template Scan
Expected signal: Web server access logs showing requests with Nuclei user-agent string (nuclei - open-source project) to technology-fingerprinting paths. Request patterns include checks for specific file paths, response headers, and page content that identify installed software. WAF logs will show rule matches for known Nuclei signatures.
References (10)
- https://attack.mitre.org/techniques/T1592/002/
- https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
- https://outpost24.com/blog/metadata-hackers-best-friend/
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
- https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/iis-logs
- https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsIISlogs
- https://github.com/projectdiscovery/nuclei-templates/tree/main/technologies
- https://nmap.org/book/man-version-detection.html
- https://github.com/urbanadventurer/WhatWeb
Unlock Pro Content
Get the full detection package for T1592.002 including response playbook, investigation guide, and atomic red team tests.