T1592 IBM QRadar · QRadar

Detect Gather Victim Host Information in IBM QRadar

This detection identifies adversary attempts to enumerate victim host information during pre-compromise reconnaissance. Because T1592 is a PRE-ATT&CK technique occurring outside the victim network, direct detection is impossible — this rule targets second-order indicators visible from the defender side: automated scanning tools and fingerprinting bots making requests to internet-facing web servers, User-Agent rotation patterns consistent with OS/browser profiling, and rapid enumeration of host-revealing paths such as /robots.txt, /.env, /phpinfo.php, and similar disclosure endpoints. The primary data source is web server access logs (IIS W3C or common log format), which record client IP, User-Agent, and requested paths — the exact data an adversary harvests to profile target host configurations before launching phishing, supply chain, or watering hole operations.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1592 Gather Victim Host Information
Canonical reference
https://attack.mitre.org/techniques/T1592/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%masscan%' OR LOWER("useragent") ILIKE '%zgrab%' OR LOWER("useragent") ILIKE '%shodan%' OR LOWER("requesturl") ILIKE '%.env%' OR LOWER("requesturl") ILIKE '%phpinfo%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%masscan%' OR LOWER("useragent") ILIKE '%zgrab%' OR LOWER("useragent") ILIKE '%shodan%' OR LOWER("requesturl") ILIKE '%.env%' OR LOWER("requesturl") ILIKE '%phpinfo%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS
medium severity low confidence

QRadar AQL detection for Gather Victim Host Information (T1592). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

Data Sources

QRadar SIEMWindows Security EventsNetwork Firewall LogsSyslog

Required Tables

events

False Positives & Tuning

  • Legitimate SEO crawlers such as Googlebot, Bingbot, or commercial crawlers (Screaming Frog, Ahrefs, Semrush) may trigger on path enumeration rules — allowlist known crawler IP ranges and User-Agent prefixes
  • Internal vulnerability scanners (Nessus, Qualys, Rapid7) run by the security team against web assets will generate identical patterns — exclude known scanner IP ranges via watchlist
  • Developer tooling such as curl, wget, or Python requests used legitimately by CI/CD pipelines or deployment scripts may match scanner User-Agent patterns — baseline known build server IPs
Download portable Sigma rule (.yml)

Other platforms for T1592

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Web Server Fingerprinting via Automated Scanner User-Agent

    Expected signal: Web server access log entries (IIS W3C or Apache combined format) showing requests from the test host IP with User-Agents matching masscan, python-requests, Go-http-client, and curl patterns against multiple disclosure paths. ReconScore should trigger at >= 2 given multiple fingerprinting paths and multiple scanner User-Agents.

  2. Test 2OS-Targeted User-Agent Rotation for Victim Profiling

    Expected signal: Access log entries from test IP showing 5 distinct User-Agents representing Windows, Linux, macOS, Android, and iOS across the same path set within a short window. The User-Agent rotation hunting query should fire with UniqueOSHints = 5.

  3. Test 3Nmap Service and OS Version Detection Scan

    Expected signal: Network flow records showing TCP SYN packets to multiple ports from test host. Web server access logs showing nmap User-Agent requests (if HTTP ports scanned). IDS/IPS logs showing port scan detection. Network baseline anomaly for rapid sequential port connections.

Last updated: 2026-03-19 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1592 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1595Active ScanningT1598Phishing for InformationT1592.001HardwareT1592.002SoftwareT1592.003FirmwareT1592.004Client ConfigurationsT1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1596Search Open Technical Databases

Same Tactic: Reconnaissance

Popular Detections