T1592.004 IBM QRadar · QRadar

Detect Client Configurations in IBM QRadar

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (32 or 64 bit), language, and/or time zone. Adversaries gather this information via active scanning (listening ports, server banners, user agent strings), phishing for information, or by compromising sites to deploy malicious JavaScript frameworks such as ScanBox that collect host information from visitors. HAFNIUM has used this technique to interact with Office 365 tenants to gather details about target environments. Collected client configuration data enables adversaries to select targeted exploits, craft convincing phishing lures, identify vulnerable software versions, and tailor payloads to victim architectures.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.004 Client Configurations
Canonical reference
https://attack.mitre.org/techniques/T1592/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%python%' OR LOWER("useragent") ILIKE '%go-http-client%' OR LOWER("useragent") ILIKE '%curl/%' AND LOWER("appname") ILIKE '%azure active directory%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%python%' OR LOWER("useragent") ILIKE '%go-http-client%' OR LOWER("useragent") ILIKE '%curl/%' AND LOWER("appname") ILIKE '%azure active directory%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS
medium severity low confidence

QRadar AQL detection for Client Configurations (T1592.004). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

Data Sources

QRadar SIEMWindows Security EventsNetwork Firewall LogsSyslog

Required Tables

events

False Positives & Tuning

  • Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch
  • Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events
  • Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints
  • Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known
Download portable Sigma rule (.yml)

Other platforms for T1592.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Client Configuration Fingerprinting Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'POST', and '/collect.php'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (connection fails — no listener). PowerShell ScriptBlock Log Event ID 4104 showing the fingerprint assembly and POST attempt. If traffic routed through proxy: CommonSecurityLog entry showing POST to /collect.php with 127.0.0.1 destination.

  2. Test 2Office 365 Tenant Configuration Enumeration via OpenID Connect Discovery

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest' and 'openid-configuration'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS CONNECT to login.microsoftonline.com with Windows PowerShell user agent string.

  3. Test 3WMI System Configuration Collection Matching ScanBox Target Data

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI-related command line. Sysmon Event ID 11: File Create for t1592004_config.json in %TEMP%. WMI activity in Microsoft-Windows-WMI-Activity/Operational (Event IDs 5857, 5858) for Win32_OperatingSystem, Win32_Processor, Win32_TimeZone, and Win32_ComputerSystem queries. Windows Security Event ID 4688 (with command line auditing) showing powershell.exe execution.

  4. Test 4HTTP User-Agent Client Configuration Passive Collection (Linux)

    Expected signal: Linux audit logs (auditd): execve syscalls for python3 and curl. Syslog: process creation for python3 HTTP listener. If Sysmon for Linux is deployed: Event ID 3 (Network Connection) for TCP bind on port 18889 and the curl connection. The collected output shows User-Agent encoding 'Windows NT 10.0; Win64; x64' — OS type, version, and architecture in a single header.

  5. Test 5Azure AD Tenant Client Configuration Enumeration via Scripted User Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'System.Net.Http', 'HttpClient', and 'python-requests'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443 with initiating process powershell.exe. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS request to login.microsoftonline.com with User-Agent 'python-requests/2.31.0' from a Windows host — anomalous cross-platform user-agent spoofing.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1592.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.001HardwareT1592.002SoftwareT1592.003Firmware

Related Techniques

T1592Gather Victim Host InformationT1592.001HardwareT1592.002SoftwareT1592.003FirmwareT1595Active ScanningT1595.002Vulnerability ScanningT1598Phishing for InformationT1189Drive-by CompromiseT1566PhishingT1195Supply Chain Compromise

Same Tactic: Reconnaissance

Popular Detections