T1596.002 WHOIS Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let WHOISPorts = dynamic([43]);
let WHOISWebDomains = dynamic([
    "who.is", "whois.domaintools.com", "arin.net", "ripe.net", "apnic.net",
    "lacnic.net", "afrinic.net", "whois.verisign-grs.com", "rdap.arin.net",
    "rdap.ripe.net", "lookup.icann.org", "centralops.net", "viewdns.info",
    "whoisology.com", "whois.icann.org"
]);
// Branch 1: WHOIS command-line tool execution on endpoints
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("whois.exe", "whois64.exe")
    or (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh",
                       "python.exe", "python3", "python3.exe")
        and (ProcessCommandLine has "whois"
             or ProcessCommandLine has "rdap.arin"
             or ProcessCommandLine has "rdap.ripe"
             or ProcessCommandLine has "whois.iana.org"
             or ProcessCommandLine has "whois.verisign"))
| extend DetectionType = "WHOISToolExecution"
| extend TargetEntity = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, TargetEntity;
// Branch 2: Outbound TCP connections to WHOIS protocol port 43
let WHOISProtocolNet = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (WHOISPorts)
| where RemoteIPType == "Public"
| extend DetectionType = "WHOISProtocolPort43"
| extend TargetEntity = strcat(RemoteIP, ":", tostring(RemotePort))
| project Timestamp, DeviceName,
    AccountName = InitiatingProcessAccountName,
    FileName = InitiatingProcessFileName,
    ProcessCommandLine = InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionType, TargetEntity;
// Branch 3: Non-browser processes accessing known WHOIS lookup web services
let WebAPILookup = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WHOISWebDomains)
| where InitiatingProcessFileName !in~ (
    "msedge.exe", "chrome.exe", "firefox.exe",
    "iexplore.exe", "opera.exe", "brave.exe", "safari.exe"
)
| extend DetectionType = "WHOISWebAPIAccess"
| extend TargetEntity = RemoteUrl
| project Timestamp, DeviceName,
    AccountName = InitiatingProcessAccountName,
    FileName = InitiatingProcessFileName,
    ProcessCommandLine = InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionType, TargetEntity;
union ToolExecution, WHOISProtocolNet, WebAPILookup
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation
Authorized red team and penetration testing engagements performing pre-attack reconnaissance against the organization

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    (
        (EventCode=1
            (
                Image="*\\whois.exe" OR Image="*\\whois64.exe"
                OR
                (
                    CommandLine="*whois*"
                    AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
                         OR Image="*\\cmd.exe" OR Image="*\\python.exe"
                         OR Image="*\\python3.exe" OR Image="*\\bash"
                         OR Image="*\\sh")
                )
            )
        )
        OR
        (EventCode=3 DestinationPort=43
            NOT DestinationIp="10.*"
            NOT DestinationIp="172.16.*"
            NOT DestinationIp="192.168.*"
            NOT DestinationIp="127.*"
        )
    )
| eval DetectionType=case(
    EventCode=1 AND (match(Image, "(?i)whois") OR match(CommandLine, "(?i)\\bwhois\\b")), "WHOISToolExecution",
    EventCode=3 AND DestinationPort=43, "WHOISProtocolPort43",
    true(), "WHOISActivity"
)
| eval TargetIndicator=case(
    EventCode=3, coalesce(DestinationHostname, DestinationIp)+":"+tostring(DestinationPort),
    EventCode=1, CommandLine,
    true(), null()
)
| eval SuspicionScore=case(
    DetectionType="WHOISToolExecution"
        AND match(CommandLine, "(?i)(arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|verisign|rdap)"),
        3,
    DetectionType="WHOISToolExecution", 2,
    DetectionType="WHOISProtocolPort43", 2,
    true(), 1
)
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, DestinationHostname, DetectionType, TargetIndicator, SuspicionScore
| sort - SuspicionScore, - _time

low severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

SOC analysts and threat intelligence teams using whois tools for legitimate domain investigations
IT administrators querying WHOIS to verify domain registration details or expiry dates for corporate domains
Security scanning platforms that incorporate WHOIS lookups as part of asset inventory
CI/CD pipelines or automation scripts that verify domain ownership during deployment validation
Authorized penetration testing engagements performing reconnaissance against the organization

Elastic Security (EQL)

eql

// T1596.002 — WHOIS Reconnaissance
network where destination.port == 43
  or (http.request.body.content : ("*arin.net*", "*ripe.net*", "*apnic.net*", "*whois*")
  and destination.port in (80, 443))

low severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "destinationport" = 43 OR LOWER("destinationhostname") IN ('who.is', 'whois.domaintools.com', 'arin.net', 'ripe.net') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("destinationport" = 43 OR LOWER("destinationhostname") IN ('who.is', 'whois.domaintools.com', 'arin.net', 'ripe.net'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

low severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

low severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation

Google Chronicle / SecOps

yaral

rule t1596_002_whois {
  meta:
    author = "df00tech"
    description = "Detects WHOIS (T1596.002)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596.002"
    confidence = "medium"
    severity = "low"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

low severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.002 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.002 - OSINTTool";
    * => TechniqueLabel := "T1596.002 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

low severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation

WHOIS

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections