Detect WHOIS in IBM QRadar
Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. Adversaries use WHOIS data to gather actionable information — identifying IP block ownership, registrant contact details, registrar and DNS nameserver relationships, and historical registration patterns. Information from these sources may reveal opportunities for other forms of reconnaissance (Active Scanning, Phishing for Information), establishing operational resources (Acquire Infrastructure, Compromise Infrastructure), and initial access (External Remote Services, Trusted Relationship). Because WHOIS is a public service queried outside the victim environment, direct detection requires monitoring for the downstream artifacts of the technique: WHOIS tool execution on a compromised host, outbound TCP port 43 connections, or scripted queries to WHOIS REST/RDAP APIs.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.002 WHOIS
- Canonical reference
- https://attack.mitre.org/techniques/T1596/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN "destinationport" = 43 OR LOWER("destinationhostname") IN ('who.is', 'whois.domaintools.com', 'arin.net', 'ripe.net') THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE ("destinationport" = 43 OR LOWER("destinationhostname") IN ('who.is', 'whois.domaintools.com', 'arin.net', 'ripe.net'))
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for WHOIS (T1596.002). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
- IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
- Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
- CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation
Other platforms for T1596.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Linux WHOIS Command-Line Domain Lookup
Expected signal: Sysmon for Linux Event ID 1 (if deployed): process creation with Image=/usr/bin/whois, CommandLine='whois example.com'. Linux auditd (if configured): EXECVE record showing whois command. Network connection on TCP port 43 to the appropriate RIR WHOIS server. DNS query for whois.iana.org or registrar-specific WHOIS server (whois.verisign-grs.com for .com domains).
- Test 2Windows PowerShell RDAP API Lookup via Invoke-RestMethod
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'rdap.arin.net'. Sysmon Event ID 3: Network connection from powershell.exe to rdap.arin.net on TCP port 443. Sysmon Event ID 22 (DNS Query): resolution of rdap.arin.net. PowerShell ScriptBlock Log Event ID 4104: full script content including the URL and Invoke-RestMethod call.
- Test 3Windows PowerShell Direct TCP WHOIS Query on Port 43
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=<whois.iana.org resolved IP>, DestinationPort=43, Protocol=tcp. Sysmon Event ID 22: DNS query for whois.iana.org. Sysmon Event ID 1: Process Create for powershell.exe with TcpClient and port 43 visible in CommandLine.
- Test 4Python Socket-Based WHOIS Query on Port 43
Expected signal: Sysmon for Linux Event ID 1: Process Create with Image=python3, CommandLine containing the socket code and 'whois.iana.org'. Sysmon for Linux Event ID 3: Network Connection from python3 to whois.iana.org on TCP port 43. DNS query for whois.iana.org in DNS resolver logs.
References (7)
- https://attack.mitre.org/techniques/T1596/002/
- https://www.iana.org/domains/whois
- https://www.arin.net/resources/registry/whois/rdap/
- https://www.ripe.net/manage-ips-and-asns/db/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1596.002/T1596.002.md
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1596.002 including response playbook, investigation guide, and atomic red team tests.