T1594 IBM QRadar · QRadar

Detect Search Victim-Owned Websites in IBM QRadar

This detection identifies adversary reconnaissance activity targeting victim-owned websites, including automated crawling, directory enumeration, and harvesting of sensitive pages such as robots.txt, sitemap.xml, staff/contact directories, and hidden paths. Because T1594 is a PRE-ATT&CK technique occurring outside the victim network, detection relies on web server access logs, WAF telemetry, and CDN logs ingested into SIEM. Detection focuses on high-volume requests from single source IPs, enumeration of employee/contact pages, known scraping tool user agents, and sequential access patterns indicative of automated reconnaissance tools used by groups like Kimsuky, Volt Typhoon, Silent Librarian, and Sandworm Team.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1594 Search Victim-Owned Websites
Canonical reference
https://attack.mitre.org/techniques/T1594/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%scrapy%' OR LOWER("useragent") ILIKE '%python-requests%' OR LOWER("requesturl") ILIKE '%/staff%' OR LOWER("requesturl") ILIKE '%/team%' OR LOWER("requesturl") ILIKE '%/employees%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS
medium severity low confidence

QRadar AQL detection for Search Victim-Owned Websites (T1594). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.

Data Sources

QRadar SIEMWindows Security EventsNetwork Firewall LogsSyslog

Required Tables

events

False Positives & Tuning

  • Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
  • Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
  • Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
  • SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)
Download portable Sigma rule (.yml)

Other platforms for T1594

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Automated Website Crawling with wget Spider Mode

    Expected signal: Web server access logs showing rapid sequential GET requests from single IP with wget user agent. Multiple 200, 301, and 404 responses across diverse URL paths. Request rate 20-100 req/min.

  2. Test 2Reconnaissance Path Enumeration with robots.txt and sitemap.xml Harvest

    Expected signal: Sequential requests to robots.txt, sitemap.xml then employee-related paths. User agent 'python-requests' in all requests. Mix of 200 and 404 responses across 60-second window.

  3. Test 3Directory Enumeration with ffuf Wordlist Scanning

    Expected signal: Burst of 404 responses (12 requests, 1 per path) within 90 seconds. ffuf or spoofed browser UA. Requests for paths like /admin, /staff, /.git, /.env. Rate approximately 10 req/min.

Last updated: 2026-03-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1594 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1592Gather Victim Host InformationT1589Gather Victim Identity InformationT1591Gather Victim Org InformationT1595.003Wordlist ScanningT1596Search Open Technical DatabasesT1598Phishing for InformationT1566PhishingT1585Establish AccountsT1199Trusted Relationship

Same Tactic: Reconnaissance

Popular Detections