title: Domain Properties (T1590.001)
id: df00tech-t1590-001
status: experimental
description: "Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (name, registrar, etc.) and more directly actionable information such as contacts, business addresses, and name servers. Adversaries gather this information via direct collection (WHOIS queries, DNS enumeration), passive data sets, or by querying publicly accessible API endpoints such as Microsoft's GetUserRealm and autodiscover APIs in Office 365/Azure environments. Tools such as AADInternals leverage these public APIs to enumerate tenant domain details, federation configuration, and company metadata — all without authenticating to the target environment."
references:
  - https://attack.mitre.org/techniques/T1590/001/
  - https://df00tech.com/detections/T1590.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1590.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators performing legitimate WHOIS lookups to verify domain registrations, check expiry dates, or investigate abuse complaints"
  - "Security teams using AADInternals or similar tools for authorized red team exercises, tenant health checks, or identity posture assessments"
  - "DevOps/cloud automation scripts querying Azure AD domain configuration (List domains, List organization) during infrastructure provisioning or validation pipelines"
  - Third-party SaaS connectors and monitoring platforms that enumerate Azure AD tenant domain details during onboarding or health monitoring
  - Domain registrars or managed DNS provider tools that perform routine WHOIS queries as part of domain portfolio management workflows
level: medium