T1596.002 Splunk · SPL

Detect WHOIS in Splunk

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. Adversaries use WHOIS data to gather actionable information — identifying IP block ownership, registrant contact details, registrar and DNS nameserver relationships, and historical registration patterns. Information from these sources may reveal opportunities for other forms of reconnaissance (Active Scanning, Phishing for Information), establishing operational resources (Acquire Infrastructure, Compromise Infrastructure), and initial access (External Remote Services, Trusted Relationship). Because WHOIS is a public service queried outside the victim environment, direct detection requires monitoring for the downstream artifacts of the technique: WHOIS tool execution on a compromised host, outbound TCP port 43 connections, or scripted queries to WHOIS REST/RDAP APIs.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Sub-technique
T1596.002 WHOIS
Canonical reference
https://attack.mitre.org/techniques/T1596/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
    (
        (EventCode=1
            (
                Image="*\\whois.exe" OR Image="*\\whois64.exe"
                OR
                (
                    CommandLine="*whois*"
                    AND (Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
                         OR Image="*\\cmd.exe" OR Image="*\\python.exe"
                         OR Image="*\\python3.exe" OR Image="*\\bash"
                         OR Image="*\\sh")
                )
            )
        )
        OR
        (EventCode=3 DestinationPort=43
            NOT DestinationIp="10.*"
            NOT DestinationIp="172.16.*"
            NOT DestinationIp="192.168.*"
            NOT DestinationIp="127.*"
        )
    )
| eval DetectionType=case(
    EventCode=1 AND (match(Image, "(?i)whois") OR match(CommandLine, "(?i)\\bwhois\\b")), "WHOISToolExecution",
    EventCode=3 AND DestinationPort=43, "WHOISProtocolPort43",
    true(), "WHOISActivity"
)
| eval TargetIndicator=case(
    EventCode=3, coalesce(DestinationHostname, DestinationIp)+":"+tostring(DestinationPort),
    EventCode=1, CommandLine,
    true(), null()
)
| eval SuspicionScore=case(
    DetectionType="WHOISToolExecution"
        AND match(CommandLine, "(?i)(arin\.net|ripe\.net|apnic\.net|lacnic\.net|afrinic\.net|verisign|rdap)"),
        3,
    DetectionType="WHOISToolExecution", 2,
    DetectionType="WHOISProtocolPort43", 2,
    true(), 1
)
| table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, DestinationHostname, DetectionType, TargetIndicator, SuspicionScore
| sort - SuspicionScore, - _time
low severity medium confidence

Detects WHOIS reconnaissance using Sysmon events from the Microsoft-Windows-Sysmon/Operational channel. Event ID 1 (Process Create) catches execution of whois.exe/whois64.exe and scripted WHOIS queries via PowerShell, cmd.exe, or Python. Event ID 3 (Network Connection) catches direct TCP connections to port 43 (the WHOIS protocol port), filtered to public IPs only to remove RFC1918 noise. A suspicion score (1-3) is assigned: score 3 indicates command lines explicitly referencing RIR infrastructure (arin.net, ripe.net, apnic.net, rdap), suggesting deliberate organization profiling rather than incidental use. Higher scores should be prioritized for triage.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • SOC analysts and threat intelligence teams using whois tools for legitimate domain investigations
  • IT administrators querying WHOIS to verify domain registration details or expiry dates for corporate domains
  • Security scanning platforms that incorporate WHOIS lookups as part of asset inventory
  • CI/CD pipelines or automation scripts that verify domain ownership during deployment validation
  • Authorized penetration testing engagements performing reconnaissance against the organization
Download portable Sigma rule (.yml)

Other platforms for T1596.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Linux WHOIS Command-Line Domain Lookup

    Expected signal: Sysmon for Linux Event ID 1 (if deployed): process creation with Image=/usr/bin/whois, CommandLine='whois example.com'. Linux auditd (if configured): EXECVE record showing whois command. Network connection on TCP port 43 to the appropriate RIR WHOIS server. DNS query for whois.iana.org or registrar-specific WHOIS server (whois.verisign-grs.com for .com domains).

  2. Test 2Windows PowerShell RDAP API Lookup via Invoke-RestMethod

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Invoke-RestMethod' and 'rdap.arin.net'. Sysmon Event ID 3: Network connection from powershell.exe to rdap.arin.net on TCP port 443. Sysmon Event ID 22 (DNS Query): resolution of rdap.arin.net. PowerShell ScriptBlock Log Event ID 4104: full script content including the URL and Invoke-RestMethod call.

  3. Test 3Windows PowerShell Direct TCP WHOIS Query on Port 43

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationIp=<whois.iana.org resolved IP>, DestinationPort=43, Protocol=tcp. Sysmon Event ID 22: DNS query for whois.iana.org. Sysmon Event ID 1: Process Create for powershell.exe with TcpClient and port 43 visible in CommandLine.

  4. Test 4Python Socket-Based WHOIS Query on Port 43

    Expected signal: Sysmon for Linux Event ID 1: Process Create with Image=python3, CommandLine containing the socket code and 'whois.iana.org'. Sysmon for Linux Event ID 3: Network Connection from python3 to whois.iana.org on TCP port 43. DNS query for whois.iana.org in DNS resolver logs.

Last updated: 2026-03-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1596.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1596Search Open Technical Databases

Related Sub-techniques

T1596.001DNS/Passive DNST1596.003Digital CertificatesT1596.004CDNsT1596.005Scan Databases

Related Techniques

T1596Search Open Technical DatabasesT1596.001DNS/Passive DNST1596.003Digital CertificatesT1590Gather Victim Network InformationT1590.002DNST1590.005IP AddressesT1595Active ScanningT1595.001Scanning IP BlocksT1583Acquire InfrastructureT1584Compromise InfrastructureT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections