T1593 Elastic Security · Elastic

Detect Search Open Websites/Domains in Elastic Security

This detection identifies automated reconnaissance activity against your organization's public-facing web assets, which may indicate an adversary conducting pre-attack intelligence gathering via T1593. Since T1593 occurs externally (adversaries querying social media, search engines, and public websites), direct network-level detection from within the victim environment is impossible. This detection instead focuses on second-order observable indicators: anomalous automated scraping patterns against your web infrastructure (IIS, Apache, Nginx, Azure WAF), known OSINT/reconnaissance tool user agents in web access logs, high-velocity enumeration from single source IPs, and probing of sensitive disclosure paths such as /.git/, /robots.txt, sitemap.xml, and /admin. These patterns correlate with adversary pre-compromise reconnaissance workflows used by groups including Volt Typhoon, Mustang Panda, and Kimsuky prior to phishing or initial access operations.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1593 Search Open Websites/Domains
Canonical reference
https://attack.mitre.org/techniques/T1593/

Elastic Detection Query

Elastic Security (Elastic)
eql 
// T1593 — Search Open Websites
any where event.dataset : ("iis.access", "apache_http_server.access")
  and (user_agent.original : ("python-requests*", "go-http-client*", "curl/*", "nuclei*",
    "nikto*", "dirbuster*", "gobuster*", "scrapy*", "masscan*")
  or url.path : ("/.git/*", "/.env", "/wp-admin/*", "/robots.txt", "/sitemap.xml",
    "/.htaccess", "/web.config", "/backup/*", "/config/*"))
medium severity low confidence

Elastic EQL detection for Search Open Websites/Domains (T1593). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

Data Sources

Web Server LogsIIS Logs

Required Tables

logs-apache_http_server.*logs-iis.access-*

False Positives & Tuning

  • Legitimate commercial web crawlers and search engine bots (Googlebot, Bingbot, DuckDuckGo) may match known user agent patterns — whitelist verified crawler IP ranges from respective ASNs
  • Security vendors running authorized external attack surface scans (Qualys, Tenable, Rapid7) will produce reconnaissance-like patterns — maintain an allowlist of authorized scanner IPs
  • Developers or internal teams using curl, Python requests, or httpx for legitimate API testing or load testing against production endpoints
  • Content delivery networks and uptime monitoring services (Pingdom, UptimeRobot, StatusCake) making frequent automated HEAD/GET requests
Download portable Sigma rule (.yml)

Other platforms for T1593

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Automated Web Reconnaissance with Python Requests

    Expected signal: Web server access logs will show 25+ requests from 127.0.0.1 with user agent 'python-requests/2.x.x' hitting sensitive paths including /.git/config, /.env, /wp-admin, and /wp-config.php. IIS W3CIISLog or Apache access_combined logs will capture all requests.

  2. Test 2Directory Enumeration with Gobuster (DNS/HTTP Mode)

    Expected signal: Web server logs will show rapid sequential requests from 127.0.0.1 with user agent 'gobuster/3.x'. Each wordlist entry appears as a separate GET request. Requests arrive at ~5 concurrent requests/second. Response codes 200, 301, 302, 403, and 404 visible depending on what exists on the target.

  3. Test 3OSINT Reconnaissance with theHarvester Against Your Own Domain

    Expected signal: DNS resolver logs and network flow logs will show multiple DNS queries for subdomains of the target domain originating from the test host. If your DNS logging infrastructure captures queries, these appear as sequential lookups for www.example.com, mail.example.com, api.example.com, etc. theHarvester queries are external to the target and logged by Bing/search infrastructure, not the victim — this validates the external nature of T1593.

Last updated: 2026-03-19 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1593 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1593.001Social MediaT1593.002Search EnginesT1593.003Code RepositoriesT1592Gather Victim Host InformationT1596Search Open Technical DatabasesT1594Search Victim-Owned WebsitesT1566PhishingT1598Phishing for InformationT1585Establish AccountsT1133External Remote Services

Same Tactic: Reconnaissance

Popular Detections