T1592.004 Client Configurations Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ScanBoxCollectionPaths = dynamic([
  "/fp.php", "/gate.php", "/collect.php", "/plugin.php",
  "/log.php", "/track.php", "/config.php", "/init.php",
  "/js.php", "/stat.php"
]);
let KnownAnalyticsDomains = dynamic([
  "google-analytics.com", "analytics.google.com", "mixpanel.com",
  "amplitude.com", "segment.io", "segment.com",
  "hotjar.com", "fullstory.com", "newrelic.com", "dynatrace.com"
]);
// Branch 1: ScanBox-style JavaScript fingerprinting POST exfiltration via proxy/firewall
let ScanBoxExfil = CommonSecurityLog
| where TimeGenerated > ago(24h)
| where RequestMethod == "POST"
| where RequestURL has_any (ScanBoxCollectionPaths)
| where not (DestinationHostName has_any (KnownAnalyticsDomains))
| where not (DestinationHostName endswith ".internal"
          or DestinationHostName endswith ".corp"
          or DestinationHostName endswith ".local")
| extend DetectionBranch = "ScanBox_POST_Exfiltration"
| extend RiskScore = case(
    RequestURL has_any ("/fp.php", "/gate.php", "/collect.php"), 3,
    RequestURL has_any ("/plugin.php", "/log.php", "/track.php"), 2,
    1
  )
| project TimeGenerated, SourceIP, SourceUserName, DestinationHostName,
          RequestURL, RequestMethod, DeviceAction, DetectionBranch, RiskScore;
// Branch 2: Office 365 tenant configuration enumeration via non-browser clients (HAFNIUM pattern)
let O365TenantEnum = SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName has_any ("Office 365", "Microsoft Office 365",
    "Office 365 Management APIs", "Azure Active Directory",
    "Microsoft Graph", "Azure Active Directory Graph")
| extend UserAgentLower = tolower(UserAgent)
| extend IsAutomatedClient = UserAgent has_any (
    "python", "curl/", "Go-http-client", "libwww-perl",
    "Invoke-WebRequest", "powershell", "okhttp", "axios",
    "java/", "Apache-HttpClient", "HttpClient", "requests/"
  )
| where IsAutomatedClient == true
| extend DetectionBranch = "O365_Tenant_Config_Enum"
| extend RiskScore = case(
    RiskLevelDuringSignIn in ("high"), 3,
    RiskLevelDuringSignIn in ("medium"), 2,
    UserAgent has_any ("python", "curl/", "Go-http-client"), 2,
    1
  )
| extend GeoCountry = tostring(LocationDetails.countryOrRegion)
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName,
          UserAgent, ResultType, RiskLevelDuringSignIn,
          GeoCountry, DetectionBranch, RiskScore;
union ScanBoxExfil, O365TenantEnum
| sort by RiskScore desc, TimeGenerated desc

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content Microsoft Azure Active Directory: Logon Session

Required Tables

CommonSecurityLog SigninLogs

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

Splunk

spl

index=proxy OR index=web
  (sourcetype="bluecoat:proxysg:access:kv" OR sourcetype="cisco:wsa:squid:native" OR sourcetype="stream:http")
  http_method=POST
  (uri_path="/fp.php" OR uri_path="/gate.php" OR uri_path="/collect.php"
   OR uri_path="/plugin.php" OR uri_path="/log.php" OR uri_path="/track.php"
   OR uri_path="/init.php" OR uri_path="/stat.php")
  NOT (site="*.google.com" OR site="*.google-analytics.com" OR site="*.microsoft.com"
       OR site="*.amplitude.com" OR site="*.mixpanel.com" OR site="*.segment.io"
       OR site="*.newrelic.com" OR site="*.hotjar.com" OR site="*.internal"
       OR site="*.corp" OR site="*.local")
| eval detection_branch="ScanBox_POST_Exfiltration"
| eval risk_score=0
| eval risk_score=risk_score+if(match(uri_path, "(\/fp\.php|\/gate\.php|\/collect\.php)"), 3, 0)
| eval risk_score=risk_score+if(match(uri_path, "(\/plugin\.php|\/log\.php|\/track\.php)"), 2, 0)
| eval risk_score=risk_score+if(match(cs_uri_query, "(platform|timezone|language|screen|hardware|cpu|arch|resolution)"), 2, 0)
| eval risk_score=risk_score+if(match(cs_referer, "(news|media|blog|forum|watering)"), 1, 0)
| where risk_score >= 2
| table _time, src_ip, cs_username, site, uri_path, cs_uri_query, cs_referer, http_method, sc_status, detection_branch, risk_score
| sort - risk_score
| appendcols [
    search index=o365 sourcetype="o365:management:activity" Workload=AzureActiveDirectory
      (Operation="UserLoginFailed" OR Operation="UserLoggedIn" OR Operation="Add service principal credentials")
    | eval detection_branch="O365_Tenant_Config_Enum"
    | eval user_agent_lower=lower(UserAgent)
    | eval is_automated=if(match(user_agent_lower, "(python|curl\/|go-http-client|libwww-perl|powershell|okhttp|axios|java\/|apache-httpclient|requests\/)"), 1, 0)
    | where is_automated=1
    | eval risk_score=0
    | eval risk_score=risk_score+if(match(user_agent_lower, "(python|curl\/|go-http-client)"), 2, 0)
    | eval risk_score=risk_score+if(ResultStatus="Failed", 1, 0)
    | eval risk_score=risk_score+if(match(user_agent_lower, "(powershell|libwww-perl|axios)"), 1, 0)
    | where risk_score >= 2
    | table _time, UserId, ClientIP, UserAgent, Operation, ResultStatus, detection_branch, risk_score
    | sort - risk_score
]

medium severity low confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Web Proxy Logs Office 365 Management Activity Audit Logs

Required Sourcetypes

bluecoat:proxysg:access:kv cisco:wsa:squid:native stream:http o365:management:activity

False Positives

Web A/B testing and conversion optimization platforms (Optimizely, VWO, Crazy Egg) POST client telemetry to similarly structured collection endpoints — add their domains to the exclusion list
CDN and DDoS protection providers (Cloudflare, Akamai, Fastly) perform browser integrity checks that generate POST requests to challenge endpoints with paths matching collection endpoint patterns
Internal vulnerability management scanners (Qualys, Tenable, Rapid7) running authenticated web application scans will POST to PHP/script-based endpoints and generate risk-scored events
Legitimate Azure DevOps pipelines, GitHub Actions, and CI/CD automation using Python or Go to interact with Office 365 APIs will appear as automated client enumeration in the O365 branch

Elastic Security (EQL)

eql

// T1592.004 — Client Configurations Fingerprinting
any where event.dataset : "azure.signinlogs"
  and user_agent.original : (
    "python*", "curl/*", "Go-http-client*", "libwww-perl*",
    "Invoke-WebRequest*", "*powershell*", "okhttp*"
  )
  and azure.signinlogs.properties.app_display_name : (
    "Office 365", "Microsoft Graph", "Azure Active Directory*"
  )

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%python%' OR LOWER("useragent") ILIKE '%go-http-client%' OR LOWER("useragent") ILIKE '%curl/%' AND LOWER("appname") ILIKE '%azure active directory%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%python%' OR LOWER("useragent") ILIKE '%go-http-client%' OR LOWER("useragent") ILIKE '%curl/%' AND LOWER("appname") ILIKE '%azure active directory%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

Sumo Logic CSE

sql

_sourceCategory=*azure* OR _sourceCategory=*aad*
| json auto
| where isNotNull(userPrincipalName)
| count by userPrincipalName, ipAddress, appDisplayName
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

azure/activedirectory azure/signinlogs

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

Google Chronicle / SecOps

yaral

rule t1592_004_client_configurations {
  meta:
    author = "df00tech"
    description = "Detects Client Configurations (T1592.004)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1592.004"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

USER_LOGIN USER_RESOURCE_ACCESS

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1592.004 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known

Client Configurations

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections