Detect WHOIS in Microsoft Sentinel
Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. Adversaries use WHOIS data to gather actionable information — identifying IP block ownership, registrant contact details, registrar and DNS nameserver relationships, and historical registration patterns. Information from these sources may reveal opportunities for other forms of reconnaissance (Active Scanning, Phishing for Information), establishing operational resources (Acquire Infrastructure, Compromise Infrastructure), and initial access (External Remote Services, Trusted Relationship). Because WHOIS is a public service queried outside the victim environment, direct detection requires monitoring for the downstream artifacts of the technique: WHOIS tool execution on a compromised host, outbound TCP port 43 connections, or scripted queries to WHOIS REST/RDAP APIs.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.002 WHOIS
- Canonical reference
- https://attack.mitre.org/techniques/T1596/002/
KQL Detection Query
let WHOISPorts = dynamic([43]);
let WHOISWebDomains = dynamic([
"who.is", "whois.domaintools.com", "arin.net", "ripe.net", "apnic.net",
"lacnic.net", "afrinic.net", "whois.verisign-grs.com", "rdap.arin.net",
"rdap.ripe.net", "lookup.icann.org", "centralops.net", "viewdns.info",
"whoisology.com", "whois.icann.org"
]);
// Branch 1: WHOIS command-line tool execution on endpoints
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("whois.exe", "whois64.exe")
or (FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "bash", "sh",
"python.exe", "python3", "python3.exe")
and (ProcessCommandLine has "whois"
or ProcessCommandLine has "rdap.arin"
or ProcessCommandLine has "rdap.ripe"
or ProcessCommandLine has "whois.iana.org"
or ProcessCommandLine has "whois.verisign"))
| extend DetectionType = "WHOISToolExecution"
| extend TargetEntity = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType, TargetEntity;
// Branch 2: Outbound TCP connections to WHOIS protocol port 43
let WHOISProtocolNet = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (WHOISPorts)
| where RemoteIPType == "Public"
| extend DetectionType = "WHOISProtocolPort43"
| extend TargetEntity = strcat(RemoteIP, ":", tostring(RemotePort))
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, TargetEntity;
// Branch 3: Non-browser processes accessing known WHOIS lookup web services
let WebAPILookup = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (WHOISWebDomains)
| where InitiatingProcessFileName !in~ (
"msedge.exe", "chrome.exe", "firefox.exe",
"iexplore.exe", "opera.exe", "brave.exe", "safari.exe"
)
| extend DetectionType = "WHOISWebAPIAccess"
| extend TargetEntity = RemoteUrl
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, TargetEntity;
union ToolExecution, WHOISProtocolNet, WebAPILookup
| sort by Timestamp descDetects WHOIS reconnaissance activity through three complementary branches: (1) execution of WHOIS command-line tools (whois.exe, whois64.exe from Sysinternals) or scripted WHOIS queries via PowerShell, cmd.exe, bash, or Python targeting known RIR hostnames; (2) outbound TCP connections to port 43 (the WHOIS protocol port) from internal endpoints to public IPs; (3) non-browser processes accessing known WHOIS web lookup services and RDAP REST APIs. Browser-based WHOIS lookups are excluded from Branch 3 to reduce alert volume. This detection is most meaningful when triggered on servers, privileged workstations, or hosts that show correlated recon activity. Confidence is medium because the activity is ambiguous in isolation — context from the host and user identity is required for accurate triage.
Data Sources
Required Tables
False Positives & Tuning
- SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
- IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains
- Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management
- CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation
- Authorized red team and penetration testing engagements performing pre-attack reconnaissance against the organization
Other platforms for T1596.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Linux WHOIS Command-Line Domain Lookup
Expected signal: Sysmon for Linux Event ID 1 (if deployed): process creation with Image=/usr/bin/whois, CommandLine='whois example.com'. Linux auditd (if configured): EXECVE record showing whois command. Network connection on TCP port 43 to the appropriate RIR WHOIS server. DNS query for whois.iana.org or registrar-specific WHOIS server (whois.verisign-grs.com for .com domains).
- Test 2Windows PowerShell RDAP API Lookup via Invoke-RestMethod
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'rdap.arin.net'. Sysmon Event ID 3: Network connection from powershell.exe to rdap.arin.net on TCP port 443. Sysmon Event ID 22 (DNS Query): resolution of rdap.arin.net. PowerShell ScriptBlock Log Event ID 4104: full script content including the URL and Invoke-RestMethod call.
- Test 3Windows PowerShell Direct TCP WHOIS Query on Port 43
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=<whois.iana.org resolved IP>, DestinationPort=43, Protocol=tcp. Sysmon Event ID 22: DNS query for whois.iana.org. Sysmon Event ID 1: Process Create for powershell.exe with TcpClient and port 43 visible in CommandLine.
- Test 4Python Socket-Based WHOIS Query on Port 43
Expected signal: Sysmon for Linux Event ID 1: Process Create with Image=python3, CommandLine containing the socket code and 'whois.iana.org'. Sysmon for Linux Event ID 3: Network Connection from python3 to whois.iana.org on TCP port 43. DNS query for whois.iana.org in DNS resolver logs.
References (7)
- https://attack.mitre.org/techniques/T1596/002/
- https://www.iana.org/domains/whois
- https://www.arin.net/resources/registry/whois/rdap/
- https://www.ripe.net/manage-ips-and-asns/db/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1596.002/T1596.002.md
- https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1596.002 including response playbook, investigation guide, and atomic red team tests.