Detect Gather Victim Host Information in Splunk
This detection identifies adversary attempts to enumerate victim host information during pre-compromise reconnaissance. Because T1592 is a PRE-ATT&CK technique occurring outside the victim network, direct detection is impossible — this rule targets second-order indicators visible from the defender side: automated scanning tools and fingerprinting bots making requests to internet-facing web servers, User-Agent rotation patterns consistent with OS/browser profiling, and rapid enumeration of host-revealing paths such as /robots.txt, /.env, /phpinfo.php, and similar disclosure endpoints. The primary data source is web server access logs (IIS W3C or common log format), which record client IP, User-Agent, and requested paths — the exact data an adversary harvests to profile target host configurations before launching phishing, supply chain, or watering hole operations.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1592 Gather Victim Host Information
- Canonical reference
- https://attack.mitre.org/techniques/T1592/
SPL Detection Query
index=web (sourcetype="access_combined" OR sourcetype="iis" OR sourcetype="apache:access") earliest=-1h
| eval ua=lower(useragent)
| eval uri=lower(uri_path)
| eval is_scanner=if(
match(ua, "masscan|nmap|zgrab|nikto|sqlmap|nuclei|dirbuster|gobuster|wfuzz|ffuf|whatweb|python-requests|go-http-client|libwww-perl|shodan|censys|binaryedge|wget\/|lwp-trivial|apachebench|java\/"),
1, 0)
| eval is_fingerprint_path=if(
match(uri, "robots\.txt|\.git\/|\.env|phpinfo\.php|server-status|server-info|crossdomain\.xml|clientaccesspolicy|sitemap\.xml|wp-admin|wp-login\.php|xmlrpc\.php|\.well-known\/security|changelog\.txt|readme\.html|web\.config|web-inf\/web\.xml"),
1, 0)
| where is_scanner=1 OR is_fingerprint_path=1
| stats
count AS request_count,
dc(useragent) AS unique_agents,
dc(uri_path) AS unique_paths,
sum(is_scanner) AS scanner_ua_hits,
sum(is_fingerprint_path) AS fingerprint_path_hits,
min(_time) AS first_seen,
max(_time) AS last_seen,
values(useragent) AS sampled_agents,
values(uri_path) AS sampled_paths,
count(eval(status=="200")) AS http200_count,
count(eval(status=="404")) AS http404_count
by src_ip
| eval duration_mins=round((last_seen - first_seen) / 60, 1)
| eval recon_score=0
| eval recon_score=recon_score + case(request_count > 100, 3, request_count > 30, 2, request_count > 5, 1, true(), 0)
| eval recon_score=recon_score + case(unique_agents > 5, 2, unique_agents > 2, 1, true(), 0)
| eval recon_score=recon_score + case(unique_paths > 20, 2, unique_paths > 8, 1, true(), 0)
| eval recon_score=recon_score + if(http404_count > 20, 1, 0)
| where recon_score >= 2
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"),
last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| table src_ip, request_count, unique_agents, unique_paths, http200_count, http404_count,
duration_mins, recon_score, scanner_ua_hits, fingerprint_path_hits,
sampled_agents, sampled_paths, first_seen, last_seen
| sort -recon_score, -request_countCorrelates web access logs for automated scanning User-Agent strings and enumeration of host-disclosure paths. Computes a composite ReconScore per source IP to surface high-confidence fingerprinting sessions while suppressing isolated accidental hits.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Web performance monitoring tools (Pingdom, UptimeRobot, Datadog Synthetics) make regular automated requests with non-browser User-Agents — allowlist their published IP ranges
- Internal red team or penetration testing engagements will generate identical fingerprinting patterns — coordinate with security team and exclude authorized test windows
- Content delivery network health checks and origin probe traffic from CDN providers (Cloudflare, Fastly, Akamai) may send automated requests that match scanner patterns — allowlist CDN IP blocks
Other platforms for T1592
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Web Server Fingerprinting via Automated Scanner User-Agent
Expected signal: Web server access log entries (IIS W3C or Apache combined format) showing requests from the test host IP with User-Agents matching masscan, python-requests, Go-http-client, and curl patterns against multiple disclosure paths. ReconScore should trigger at >= 2 given multiple fingerprinting paths and multiple scanner User-Agents.
- Test 2OS-Targeted User-Agent Rotation for Victim Profiling
Expected signal: Access log entries from test IP showing 5 distinct User-Agents representing Windows, Linux, macOS, Android, and iOS across the same path set within a short window. The User-Agent rotation hunting query should fire with UniqueOSHints = 5.
- Test 3Nmap Service and OS Version Detection Scan
Expected signal: Network flow records showing TCP SYN packets to multiple ports from test host. Web server access logs showing nmap User-Agent requests (if HTTP ports scanned). IDS/IPS logs showing port scan detection. Network baseline anomaly for rapid sequential port connections.
Unlock Pro Content
Get the full detection package for T1592 including response playbook, investigation guide, and atomic red team tests.