Detect Search Victim-Owned Websites in Elastic Security
This detection identifies adversary reconnaissance activity targeting victim-owned websites, including automated crawling, directory enumeration, and harvesting of sensitive pages such as robots.txt, sitemap.xml, staff/contact directories, and hidden paths. Because T1594 is a PRE-ATT&CK technique occurring outside the victim network, detection relies on web server access logs, WAF telemetry, and CDN logs ingested into SIEM. Detection focuses on high-volume requests from single source IPs, enumeration of employee/contact pages, known scraping tool user agents, and sequential access patterns indicative of automated reconnaissance tools used by groups like Kimsuky, Volt Typhoon, Silent Librarian, and Sandworm Team.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1594 Search Victim-Owned Websites
- Canonical reference
- https://attack.mitre.org/techniques/T1594/
Elastic Detection Query
// T1594 — Search Victim-Owned Websites
any where event.dataset : ("iis.access", "apache_http_server.access")
and (user_agent.original : (
"scrapy*", "python-requests*", "wget*", "nikto*", "masscan*",
"nmap*", "zgrab*", "go-http-client*", "libwww-perl*"
) or url.path : (
"/robots.txt", "/sitemap.xml", "/.git/*", "/.env", "/wp-admin/*",
"/admin/*", "/staff*", "/team*", "/employees*", "/contact*",
"/about*", "/management*", "/leadership*", "/directory*"
))Elastic EQL detection for Search Victim-Owned Websites (T1594). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
- Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
- Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
- SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)
Other platforms for T1594
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Automated Website Crawling with wget Spider Mode
Expected signal: Web server access logs showing rapid sequential GET requests from single IP with wget user agent. Multiple 200, 301, and 404 responses across diverse URL paths. Request rate 20-100 req/min.
- Test 2Reconnaissance Path Enumeration with robots.txt and sitemap.xml Harvest
Expected signal: Sequential requests to robots.txt, sitemap.xml then employee-related paths. User agent 'python-requests' in all requests. Mix of 200 and 404 responses across 60-second window.
- Test 3Directory Enumeration with ffuf Wordlist Scanning
Expected signal: Burst of 404 responses (12 requests, 1 per path) within 90 seconds. ffuf or spoofed browser UA. Requests for paths like /admin, /staff, /.git, /.env. Rate approximately 10 req/min.
References (6)
- https://attack.mitre.org/techniques/T1594/
- https://www.comparitech.com/blog/information-security/website-information-leak/
- https://www.theregister.com/2015/07/29/googles_robots_txt_problem/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
- https://www.justice.gov/opa/press-release/file/1328521/download
Unlock Pro Content
Get the full detection package for T1594 including response playbook, investigation guide, and atomic red team tests.