T1592.002 Microsoft Sentinel · KQL

Detect Software in Microsoft Sentinel

Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include types and versions on specific hosts, as well as the presence of additional components indicative of defensive protections such as antivirus solutions or SIEMs. Adversaries gather this information via active scanning (banner grabbing, port scanning, HTTP probing for version-revealing endpoints), phishing for information, or by compromising websites to inject JavaScript fingerprinting scripts that collect visitor browser and plugin data. Additionally, adversaries analyze metadata from victim-owned files (PDFs, Office documents, images) hosted on public websites to extract software version information, which can be cross-referenced with known CVEs to identify exploitable attack vectors.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.002 Software
Canonical reference
https://attack.mitre.org/techniques/T1592/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ScannerUserAgents = dynamic([
    "Nmap", "masscan", "ZGrab", "zgrab", "nuclei", "Nikto", "sqlmap",
    "WPScan", "wpscan", "Gobuster", "gobuster", "dirbuster", "feroxbuster",
    "WhatWeb", "whatweb", "Wappalyzer", "wappalyzer", "Shodan",
    "python-requests", "Go-http-client", "libwww-perl", "curl/7",
    "HTTPie", "Wget", "Scanner", "zgrab2"
]);
let VersionProbePaths = dynamic([
    "/.git/", "/.svn/", "/.hg/",
    "/phpinfo.php", "/phpinfo",
    "/wp-login.php", "/wp-admin/", "/wp-includes/", "/readme.html", "/license.txt",
    "/CHANGELOG", "/CHANGELOG.md", "/CHANGELOG.txt",
    "/composer.json", "/package.json", "/package-lock.json",
    "/.env", "/.env.bak", "/.env.local",
    "/config.php", "/config.inc.php", "/configuration.php",
    "/server-status", "/server-info",
    "/actuator", "/actuator/env", "/actuator/info", "/actuator/health", "/actuator/mappings",
    "/api/version", "/version", "/version.txt", "/version.json",
    "/admin/version", "/api/v1/version",
    "/web.config", "/web.xml", "/WEB-INF/web.xml",
    "/crossdomain.xml", "/clientaccesspolicy.xml",
    "/jmx-console", "/manager/html", "/host-manager/html",
    "/elmah.axd", "/trace.axd",
    "/_profiler", "/symfony_profiler"
]);
union isfuzzy=true
(
    W3CIISLog
    | where TimeGenerated > ago(24h)
    | where isnotempty(cIP)
    | extend IsScanner = csUserAgent has_any (ScannerUserAgents)
    | extend IsVersionProbe = csUriStem has_any (VersionProbePaths)
    | where IsScanner or IsVersionProbe
    | project TimeGenerated, SourceIP=cIP, UserAgent=csUserAgent,
              RequestedPath=csUriStem, Method=csMethod,
              StatusCode=scStatus, BytesSent=scBytes,
              IsScanner, IsVersionProbe, Source="IIS"
),
(
    AppServiceHTTPLogs
    | where TimeGenerated > ago(24h)
    | where isnotempty(CIp)
    | extend IsScanner = UserAgent has_any (ScannerUserAgents)
    | extend IsVersionProbe = CsUriStem has_any (VersionProbePaths)
    | where IsScanner or IsVersionProbe
    | project TimeGenerated, SourceIP=CIp, UserAgent,
              RequestedPath=CsUriStem, Method=CsMethod,
              StatusCode=ScStatus, BytesSent=ScBytes,
              IsScanner, IsVersionProbe, Source="AppService"
),
(
    CommonSecurityLog
    | where TimeGenerated > ago(24h)
    | where DeviceEventCategory in ("Web Attack", "Scan", "Reconnaissance", "Policy")
          or Activity has_any ("scan", "probe", "fingerprint", "enumerat")
    | where RequestURL has_any (VersionProbePaths)
          or SourceUserName has_any (ScannerUserAgents)
          or RequestClientApplication has_any (ScannerUserAgents)
    | extend IsScanner = RequestClientApplication has_any (ScannerUserAgents)
    | extend IsVersionProbe = RequestURL has_any (VersionProbePaths)
    | project TimeGenerated, SourceIP, UserAgent=RequestClientApplication,
              RequestedPath=RequestURL, Method=RequestMethod,
              StatusCode=EventOutcome,
              IsScanner, IsVersionProbe, Source=DeviceVendor
)
| summarize
    RequestCount = count(),
    UniquePaths = dcount(RequestedPath),
    Paths = make_set(RequestedPath, 30),
    StatusCodes = make_set(StatusCode),
    Methods = make_set(Method),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by SourceIP, UserAgent, IsScanner, IsVersionProbe, Source
| where RequestCount > 5 or UniquePaths > 3
| extend ScannerScore = toint(IsScanner) + iff(UniquePaths > 10, 2, iff(UniquePaths > 5, 1, 0))
| sort by ScannerScore desc, RequestCount desc
low severity medium confidence

Detects software fingerprinting and version enumeration attempts against web-facing infrastructure using Microsoft Sentinel web log sources (IIS logs, Azure App Service HTTP logs, WAF/firewall logs via CommonSecurityLog). Identifies known scanner user-agent strings (Nmap, WPScan, nuclei, WhatWeb, etc.) and HTTP requests targeting version-revealing endpoints (actuator APIs, phpinfo, .git directories, CHANGELOG files, framework-specific admin paths). Aggregates by source IP to surface systematic probing campaigns and assigns a scanner score based on user-agent identification and path enumeration breadth.

Data Sources

Network Traffic: Network Traffic ContentApplication Log: Application Log ContentW3CIISLogAppServiceHTTPLogsCommonSecurityLog

Required Tables

W3CIISLogAppServiceHTTPLogsCommonSecurityLog

False Positives & Tuning

  • Legitimate vulnerability scanners operated by internal security teams or authorized third-party penetration testers
  • Commercial security rating services (SecurityScorecard, BitSight, Bitsight) that continuously probe public-facing infrastructure
  • Uptime monitoring and synthetic transaction services (Pingdom, UptimeRobot, Datadog Synthetics) using identifiable user-agents
  • Search engine crawlers (Googlebot, Bingbot) accessing robots.txt, sitemap.xml, and publicly documented paths
  • Web application testing during SDLC pipelines where developers run automated scans in staging environments mirroring production
Download portable Sigma rule (.yml)

Other platforms for T1592.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WhatWeb Technology Fingerprinting Against Test Target

    Expected signal: Web server access logs will show GET requests from the scanning host with WhatWeb user-agent string to various version-revealing paths. Linux audit logs (if auditd configured with network syscall rules) may capture the outbound connections. Sysmon for Linux Event ID 3 (network connection) if deployed.

  2. Test 2Nmap Service and Version Detection Scan

    Expected signal: IDS/IPS logs showing TCP SYN packets and Nmap probe payloads to target ports. Web server access logs showing requests to HTTP services with Nmap user-agent strings. Network flow data showing port scan pattern (multiple ports from single source in rapid succession).

  3. Test 3curl-based Version-Revealing Endpoint Enumeration

    Expected signal: Web server access logs showing sequential GET requests to version-revealing paths from the same source IP within seconds of each other. Response codes and byte sizes reveal which endpoints returned content (200 with non-zero size indicates successful disclosure).

  4. Test 4ExifTool Document Metadata Extraction

    Expected signal: Linux audit logs or Sysmon for Linux will capture the curl network connection and ExifTool process execution. No victim-side telemetry is generated for this technique — the adversary operates entirely from their own system against publicly accessible files.

  5. Test 5Nuclei Technology Detection Template Scan

    Expected signal: Web server access logs showing requests with Nuclei user-agent string (nuclei - open-source project) to technology-fingerprinting paths. Request patterns include checks for specific file paths, response headers, and page content that identify installed software. WAF logs will show rule matches for known Nuclei signatures.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1592.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.001HardwareT1592.003FirmwareT1592.004Client Configurations

Related Techniques

T1592Gather Victim Host InformationT1592.001HardwareT1595Active ScanningT1595.002Vulnerability ScanningT1593Search Open Websites/DomainsT1594Search Victim-Owned WebsitesT1596Search Open Technical DatabasesT1598Phishing for InformationT1190Exploit Public-Facing ApplicationT1195Supply Chain Compromise

Same Tactic: Reconnaissance

Popular Detections