T1594 Search Victim-Owned Websites Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let timeWindow = 1h;
let requestThreshold = 100;
let errorThreshold = 20;
let suspiciousUAs = dynamic(["scrapy", "python-requests", "python-urllib", "wget", "nikto", "masscan", "nmap", "zgrab", "go-http-client", "libwww-perl", "java/", "curl/", "dirbuster", "gobuster", "feroxbuster", "wfuzz", "ffuf", "httprint", "sqlmap", "whatweb"]);
let reconPaths = dynamic(["/robots.txt", "/sitemap.xml", "/sitemap_index.xml", "/.well-known/security.txt", "/.git/", "/.env", "/wp-admin", "/admin", "/staff", "/team", "/employees", "/contact", "/about", "/management", "/leadership", "/directory"]);
W3CIISLog
| where TimeGenerated > ago(timeWindow)
| extend UALower = tolower(csUserAgent)
| extend IsReconUA = UALower has_any (suspiciousUAs)
| extend IsReconPath = csUriStem has_any (reconPaths)
| extend Is404 = (scStatus == 404)
| extend IsEmployeePage = csUriStem matches regex @"(?i)/(staff|team|employees|people|directory|contact|about|leadership|management|board)"
| where IsReconUA or IsReconPath or Is404 or IsEmployeePage
| summarize
    TotalRequests = count(),
    Count404 = countif(scStatus == 404),
    Count403 = countif(scStatus == 403),
    UniquePathsRequested = dcount(csUriStem),
    ReconPathHits = countif(IsReconPath),
    EmployeePageHits = countif(IsEmployeePage),
    SuspiciousUAUsed = countif(IsReconUA),
    UserAgents = make_set(csUserAgent, 5),
    AccessedPaths = make_set(csUriStem, 30),
    FirstRequest = min(TimeGenerated),
    LastRequest = max(TimeGenerated)
    by SourceIP = cIp, TargetSite = sSiteName
| extend ReconScore = 
    (case(Count404 > 50, 3, Count404 > 20, 2, Count404 > 5, 1, 0)) +
    (case(TotalRequests > 500, 3, TotalRequests > 200, 2, TotalRequests > 100, 1, 0)) +
    (case(ReconPathHits > 3, 2, ReconPathHits >= 1, 1, 0)) +
    (case(SuspiciousUAUsed > 0, 2, 0)) +
    (case(EmployeePageHits > 5, 2, EmployeePageHits >= 1, 1, 0))
| where ReconScore >= 3
| extend SessionDurationMinutes = datetime_diff('minute', LastRequest, FirstRequest)
| extend RequestsPerMinute = round(todouble(TotalRequests) / max_of(SessionDurationMinutes, 1), 1)
| project
    FirstRequest, LastRequest, SourceIP, TargetSite,
    TotalRequests, Count404, Count403, UniquePathsRequested,
    ReconPathHits, EmployeePageHits, SuspiciousUAUsed,
    SessionDurationMinutes, RequestsPerMinute,
    UserAgents, AccessedPaths, ReconScore
| sort by ReconScore desc, TotalRequests desc

medium severity low confidence

Data Sources

Microsoft Sentinel (W3C IIS Logs) Azure WAF Logs

Required Tables

W3CIISLog

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)
Load testing tools (Apache JMeter, k6, Locust) run by the engineering team generating high 404 rates

Splunk

spl

index=* (sourcetype="access_combined" OR sourcetype="access_combined_wcookie" OR sourcetype="iis" OR sourcetype="ms:iis:auto" OR sourcetype="stream:http")
| eval ua_lower=lower(coalesce(http_user_agent, cs_User_Agent, useragent))
| eval uri=coalesce(uri_path, cs_uri_stem, url)
| eval status_code=coalesce(status, sc_status)
| eval src=coalesce(src_ip, c_ip, clientip)
| eval is_recon_ua=if(match(ua_lower, "(scrapy|python-requests|python-urllib|wget\/|nikto|masscan|nmap|zgrab|go-http-client|libwww-perl|dirbuster|gobuster|feroxbuster|wfuzz|ffuf|sqlmap|whatweb)"), 1, 0)
| eval is_recon_path=if(match(uri, "(?i)(robots\.txt|sitemap.*\.xml|\.well-known|/\.git|/\.env|/wp-admin|/phpmyadmin)"), 1, 0)
| eval is_employee_page=if(match(uri, "(?i)/(staff|team|employees|people|directory|contact|about|leadership|management|board)"), 1, 0)
| eval is_404=if(status_code="404" OR status_code=404, 1, 0)
| eval is_403=if(status_code="403" OR status_code=403, 1, 0)
| where is_recon_ua=1 OR is_recon_path=1 OR is_404=1 OR is_employee_page=1
| bin _time span=10m
| stats
    count as total_requests,
    sum(is_404) as count_404,
    sum(is_403) as count_403,
    dc(uri) as unique_paths,
    sum(is_recon_path) as recon_path_hits,
    sum(is_employee_page) as employee_page_hits,
    sum(is_recon_ua) as suspicious_ua_hits,
    values(ua_lower) as user_agents,
    values(uri) as accessed_paths
    by _time, src, host
| eval recon_score=0
| eval recon_score=recon_score + case(count_404 > 50, 3, count_404 > 20, 2, count_404 > 5, 1, true(), 0)
| eval recon_score=recon_score + case(total_requests > 500, 3, total_requests > 200, 2, total_requests > 100, 1, true(), 0)
| eval recon_score=recon_score + case(recon_path_hits > 3, 2, recon_path_hits >= 1, 1, true(), 0)
| eval recon_score=recon_score + if(suspicious_ua_hits > 0, 2, 0)
| eval recon_score=recon_score + case(employee_page_hits > 5, 2, employee_page_hits >= 1, 1, true(), 0)
| where recon_score >= 3
| sort -recon_score, -total_requests
| table _time, src, host, total_requests, count_404, count_403, unique_paths, recon_path_hits, employee_page_hits, suspicious_ua_hits, recon_score, user_agents, accessed_paths

medium severity low confidence

Data Sources

Web Access Logs (Apache/Nginx/IIS) Splunk Stream HTTP

Required Sourcetypes

access_combined iis stream:http

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot) generating high request volumes against public-facing pages
Authorized security scanning or bug bounty researchers operating within disclosed scope
Web performance monitoring tools (Pingdom, New Relic Synthetics, Datadog) performing health checks
Content Delivery Network (CDN) origin pull requests that appear as high-volume single-source traffic
Marketing analytics bots and SEO auditing tools used by internal teams

Elastic Security (EQL)

eql

// T1594 — Search Victim-Owned Websites
any where event.dataset : ("iis.access", "apache_http_server.access")
  and (user_agent.original : (
    "scrapy*", "python-requests*", "wget*", "nikto*", "masscan*",
    "nmap*", "zgrab*", "go-http-client*", "libwww-perl*"
  ) or url.path : (
    "/robots.txt", "/sitemap.xml", "/.git/*", "/.env", "/wp-admin/*",
    "/admin/*", "/staff*", "/team*", "/employees*", "/contact*",
    "/about*", "/management*", "/leadership*", "/directory*"
  ))

medium severity low confidence

Data Sources

Web Server Logs IIS Logs

Required Tables

logs-apache_http_server.* logs-iis.access-*

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Sumo Logic CSE

sql

_sourceCategory=*web* OR _sourceCategory=*iis* OR _sourceCategory=*apache*
| parse regex "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - (?<user>[^ ]+) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+).*\" (?<status>\\d+)"
| count by client_ip, uri
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

web/access iis/access

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Google Chronicle / SecOps

yaral

rule t1594_search_victim-owned_websites {
  meta:
    author = "df00tech"
    description = "Detects Search Victim-Owned Websites (T1594)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1594"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    $e.principal.ip != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

NETWORK_HTTP NETWORK_CONNECTION

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /python|curl|wget|nmap|masscan/i
| TechniqueLabel := "T1594 - Reconnaissance"
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

HttpRequest ProcessRollup2

False Positives

Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)

Search Victim-Owned Websites

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Reconnaissance

Popular Detections