Detect Client Configurations in CrowdStrike LogScale
Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (32 or 64 bit), language, and/or time zone. Adversaries gather this information via active scanning (listening ports, server banners, user agent strings), phishing for information, or by compromising sites to deploy malicious JavaScript frameworks such as ScanBox that collect host information from visitors. HAFNIUM has used this technique to interact with Office 365 tenants to gather details about target environments. Collected client configuration data enables adversaries to select targeted exploits, craft convincing phishing lures, identify vulnerable software versions, and tailor payloads to victim architectures.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1592 Gather Victim Host Information
- Sub-technique
- T1592.004 Client Configurations
- Canonical reference
- https://attack.mitre.org/techniques/T1592/004/
LogScale Detection Query
#event_simpleName in ["NetworkConnectIP4", "NetworkConnectIP6"]
| not RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| groupBy([RemoteAddressIP4], function=count(as=TotalConns))
| TotalConns > 100
| TechniqueLabel := "T1592.004 - Reconnaissance"
| table([@timestamp, RemoteAddressIP4, TotalConns, TechniqueLabel])CrowdStrike LogScale (Falcon) CQL detection for Client Configurations (T1592.004). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.
Data Sources
Required Tables
False Positives & Tuning
- Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
- Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
- Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
- Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known
Other platforms for T1592.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Client Configuration Fingerprinting Simulation
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'POST', and '/collect.php'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (connection fails — no listener). PowerShell ScriptBlock Log Event ID 4104 showing the fingerprint assembly and POST attempt. If traffic routed through proxy: CommonSecurityLog entry showing POST to /collect.php with 127.0.0.1 destination.
- Test 2Office 365 Tenant Configuration Enumeration via OpenID Connect Discovery
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest' and 'openid-configuration'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS CONNECT to login.microsoftonline.com with Windows PowerShell user agent string.
- Test 3WMI System Configuration Collection Matching ScanBox Target Data
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI-related command line. Sysmon Event ID 11: File Create for t1592004_config.json in %TEMP%. WMI activity in Microsoft-Windows-WMI-Activity/Operational (Event IDs 5857, 5858) for Win32_OperatingSystem, Win32_Processor, Win32_TimeZone, and Win32_ComputerSystem queries. Windows Security Event ID 4688 (with command line auditing) showing powershell.exe execution.
- Test 4HTTP User-Agent Client Configuration Passive Collection (Linux)
Expected signal: Linux audit logs (auditd): execve syscalls for python3 and curl. Syslog: process creation for python3 HTTP listener. If Sysmon for Linux is deployed: Event ID 3 (Network Connection) for TCP bind on port 18889 and the curl connection. The collected output shows User-Agent encoding 'Windows NT 10.0; Win64; x64' — OS type, version, and architecture in a single header.
- Test 5Azure AD Tenant Client Configuration Enumeration via Scripted User Agent
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'System.Net.Http', 'HttpClient', and 'python-requests'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443 with initiating process powershell.exe. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS request to login.microsoftonline.com with User-Agent 'python-requests/2.31.0' from a Windows host — anomalous cross-platform user-agent spoofing.
References (9)
- https://attack.mitre.org/techniques/T1592/004/
- https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://www.microsoft.com/en-us/security/blog/2020/03/04/hafnium-targeting-exchange-servers/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
- https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/commonsecuritylog
- https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.004/T1592.004.md
Unlock Pro Content
Get the full detection package for T1592.004 including response playbook, investigation guide, and atomic red team tests.