T1592.004 Splunk · SPL

Detect Client Configurations in Splunk

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (32 or 64 bit), language, and/or time zone. Adversaries gather this information via active scanning (listening ports, server banners, user agent strings), phishing for information, or by compromising sites to deploy malicious JavaScript frameworks such as ScanBox that collect host information from visitors. HAFNIUM has used this technique to interact with Office 365 tenants to gather details about target environments. Collected client configuration data enables adversaries to select targeted exploits, craft convincing phishing lures, identify vulnerable software versions, and tailor payloads to victim architectures.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Sub-technique
T1592.004 Client Configurations
Canonical reference
https://attack.mitre.org/techniques/T1592/004/

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=web
  (sourcetype="bluecoat:proxysg:access:kv" OR sourcetype="cisco:wsa:squid:native" OR sourcetype="stream:http")
  http_method=POST
  (uri_path="/fp.php" OR uri_path="/gate.php" OR uri_path="/collect.php"
   OR uri_path="/plugin.php" OR uri_path="/log.php" OR uri_path="/track.php"
   OR uri_path="/init.php" OR uri_path="/stat.php")
  NOT (site="*.google.com" OR site="*.google-analytics.com" OR site="*.microsoft.com"
       OR site="*.amplitude.com" OR site="*.mixpanel.com" OR site="*.segment.io"
       OR site="*.newrelic.com" OR site="*.hotjar.com" OR site="*.internal"
       OR site="*.corp" OR site="*.local")
| eval detection_branch="ScanBox_POST_Exfiltration"
| eval risk_score=0
| eval risk_score=risk_score+if(match(uri_path, "(\/fp\.php|\/gate\.php|\/collect\.php)"), 3, 0)
| eval risk_score=risk_score+if(match(uri_path, "(\/plugin\.php|\/log\.php|\/track\.php)"), 2, 0)
| eval risk_score=risk_score+if(match(cs_uri_query, "(platform|timezone|language|screen|hardware|cpu|arch|resolution)"), 2, 0)
| eval risk_score=risk_score+if(match(cs_referer, "(news|media|blog|forum|watering)"), 1, 0)
| where risk_score >= 2
| table _time, src_ip, cs_username, site, uri_path, cs_uri_query, cs_referer, http_method, sc_status, detection_branch, risk_score
| sort - risk_score
| appendcols [
    search index=o365 sourcetype="o365:management:activity" Workload=AzureActiveDirectory
      (Operation="UserLoginFailed" OR Operation="UserLoggedIn" OR Operation="Add service principal credentials")
    | eval detection_branch="O365_Tenant_Config_Enum"
    | eval user_agent_lower=lower(UserAgent)
    | eval is_automated=if(match(user_agent_lower, "(python|curl\/|go-http-client|libwww-perl|powershell|okhttp|axios|java\/|apache-httpclient|requests\/)"), 1, 0)
    | where is_automated=1
    | eval risk_score=0
    | eval risk_score=risk_score+if(match(user_agent_lower, "(python|curl\/|go-http-client)"), 2, 0)
    | eval risk_score=risk_score+if(ResultStatus="Failed", 1, 0)
    | eval risk_score=risk_score+if(match(user_agent_lower, "(powershell|libwww-perl|axios)"), 1, 0)
    | where risk_score >= 2
    | table _time, UserId, ClientIP, UserAgent, Operation, ResultStatus, detection_branch, risk_score
    | sort - risk_score
]
medium severity low confidence

Detects client configuration fingerprinting via two search branches appended together: (1) Proxy/web logs matching ScanBox-style POST collection endpoints with risk scoring across URI path specificity, query string hardware/configuration keywords, and referrer anomalies — known analytics domains are excluded; (2) Office 365 management activity logs identifying automated (non-browser) client access to Azure AD services using scripted user agents (Python, curl, Go HTTP, PowerShell, MSAL) with risk scoring for failed authentication and known scripting tool signatures. Both branches output normalized fields for correlation.

Data Sources

Network Traffic: Network Traffic ContentApplication Log: Application Log ContentWeb Proxy LogsOffice 365 Management Activity Audit Logs

Required Sourcetypes

bluecoat:proxysg:access:kvcisco:wsa:squid:nativestream:httpo365:management:activity

False Positives & Tuning

  • Web A/B testing and conversion optimization platforms (Optimizely, VWO, Crazy Egg) POST client telemetry to similarly structured collection endpoints — add their domains to the exclusion list
  • CDN and DDoS protection providers (Cloudflare, Akamai, Fastly) perform browser integrity checks that generate POST requests to challenge endpoints with paths matching collection endpoint patterns
  • Internal vulnerability management scanners (Qualys, Tenable, Rapid7) running authenticated web application scans will POST to PHP/script-based endpoints and generate risk-scored events
  • Legitimate Azure DevOps pipelines, GitHub Actions, and CI/CD automation using Python or Go to interact with Office 365 APIs will appear as automated client enumeration in the O365 branch
Download portable Sigma rule (.yml)

Other platforms for T1592.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Client Configuration Fingerprinting Simulation

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest', 'POST', and '/collect.php'. Sysmon Event ID 3: Network Connection attempt to 127.0.0.1:8888 (connection fails — no listener). PowerShell ScriptBlock Log Event ID 4104 showing the fingerprint assembly and POST attempt. If traffic routed through proxy: CommonSecurityLog entry showing POST to /collect.php with 127.0.0.1 destination.

  2. Test 2Office 365 Tenant Configuration Enumeration via OpenID Connect Discovery

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Invoke-WebRequest' and 'openid-configuration'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS CONNECT to login.microsoftonline.com with Windows PowerShell user agent string.

  3. Test 3WMI System Configuration Collection Matching ScanBox Target Data

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with WMI-related command line. Sysmon Event ID 11: File Create for t1592004_config.json in %TEMP%. WMI activity in Microsoft-Windows-WMI-Activity/Operational (Event IDs 5857, 5858) for Win32_OperatingSystem, Win32_Processor, Win32_TimeZone, and Win32_ComputerSystem queries. Windows Security Event ID 4688 (with command line auditing) showing powershell.exe execution.

  4. Test 4HTTP User-Agent Client Configuration Passive Collection (Linux)

    Expected signal: Linux audit logs (auditd): execve syscalls for python3 and curl. Syslog: process creation for python3 HTTP listener. If Sysmon for Linux is deployed: Event ID 3 (Network Connection) for TCP bind on port 18889 and the curl connection. The collected output shows User-Agent encoding 'Windows NT 10.0; Win64; x64' — OS type, version, and architecture in a single header.

  5. Test 5Azure AD Tenant Client Configuration Enumeration via Scripted User Agent

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'System.Net.Http', 'HttpClient', and 'python-requests'. Sysmon Event ID 3: Outbound HTTPS connection to login.microsoftonline.com:443 with initiating process powershell.exe. Sysmon Event ID 22: DNS query for login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104. Proxy logs: HTTPS request to login.microsoftonline.com with User-Agent 'python-requests/2.31.0' from a Windows host — anomalous cross-platform user-agent spoofing.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1592.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1592Gather Victim Host Information

Related Sub-techniques

T1592.001HardwareT1592.002SoftwareT1592.003Firmware

Related Techniques

T1592Gather Victim Host InformationT1592.001HardwareT1592.002SoftwareT1592.003FirmwareT1595Active ScanningT1595.002Vulnerability ScanningT1598Phishing for InformationT1189Drive-by CompromiseT1566PhishingT1195Supply Chain Compromise

Same Tactic: Reconnaissance

Popular Detections