Detect Search Victim-Owned Websites in Sumo Logic CSE
This detection identifies adversary reconnaissance activity targeting victim-owned websites, including automated crawling, directory enumeration, and harvesting of sensitive pages such as robots.txt, sitemap.xml, staff/contact directories, and hidden paths. Because T1594 is a PRE-ATT&CK technique occurring outside the victim network, detection relies on web server access logs, WAF telemetry, and CDN logs ingested into SIEM. Detection focuses on high-volume requests from single source IPs, enumeration of employee/contact pages, known scraping tool user agents, and sequential access patterns indicative of automated reconnaissance tools used by groups like Kimsuky, Volt Typhoon, Silent Librarian, and Sandworm Team.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1594 Search Victim-Owned Websites
- Canonical reference
- https://attack.mitre.org/techniques/T1594/
Sumo Detection Query
_sourceCategory=*web* OR _sourceCategory=*iis* OR _sourceCategory=*apache*
| parse regex "(?<client_ip>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}) - (?<user>[^ ]+) .* \"(?<method>[A-Z]+) (?<uri>[^ ]+).*\" (?<status>\\d+)"
| count by client_ip, uri
| sort by _count descSumo Logic detection for Search Victim-Owned Websites (T1594). Uses _sourceCategory path filtering for flexible log routing compatibility, with JSON field extraction and statistical aggregation to surface search victim-owned websites patterns. Designed for the Sumo Logic Cloud SIEM platform.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings
- Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
- Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
- SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)
Other platforms for T1594
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Automated Website Crawling with wget Spider Mode
Expected signal: Web server access logs showing rapid sequential GET requests from single IP with wget user agent. Multiple 200, 301, and 404 responses across diverse URL paths. Request rate 20-100 req/min.
- Test 2Reconnaissance Path Enumeration with robots.txt and sitemap.xml Harvest
Expected signal: Sequential requests to robots.txt, sitemap.xml then employee-related paths. User agent 'python-requests' in all requests. Mix of 200 and 404 responses across 60-second window.
- Test 3Directory Enumeration with ffuf Wordlist Scanning
Expected signal: Burst of 404 responses (12 requests, 1 per path) within 90 seconds. ffuf or spoofed browser UA. Requests for paths like /admin, /staff, /.git, /.env. Rate approximately 10 req/min.
References (6)
- https://attack.mitre.org/techniques/T1594/
- https://www.comparitech.com/blog/information-security/website-information-leak/
- https://www.theregister.com/2015/07/29/googles_robots_txt_problem/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/
- https://www.justice.gov/opa/press-release/file/1328521/download
Unlock Pro Content
Get the full detection package for T1594 including response playbook, investigation guide, and atomic red team tests.