title: Client Configurations (T1592.004)
id: df00tech-t1592-004
status: experimental
description: "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (32 or 64 bit), language, and/or time zone. Adversaries gather this information via active scanning (listening ports, server banners, user agent strings), phishing for information, or by compromising sites to deploy malicious JavaScript frameworks such as ScanBox that collect host information from visitors. HAFNIUM has used this technique to interact with Office 365 tenants to gather details about target environments. Collected client configuration data enables adversaries to select targeted exploits, craft convincing phishing lures, identify vulnerable software versions, and tailor payloads to victim architectures."
references:
  - https://attack.mitre.org/techniques/T1592/004/
  - https://df00tech.com/detections/T1592.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1592.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Web analytics platforms (Google Analytics, Mixpanel, Amplitude) use POST requests to similar collection endpoint paths for behavioral telemetry — allowlist known analytics vendor domains in the ScanBoxCollectionPaths branch"
  - "Security awareness training platforms (KnowBe4, Proofpoint Security Awareness) simulate watering hole fingerprinting for phishing simulation campaigns and will generate matching proxy log events"
  - "Internal application performance monitoring tools (Dynatrace RUM, New Relic Browser) collect client configuration data via JavaScript agents that POST to similarly named endpoints"
  - "Legitimate service principal integrations with Office 365 using automated credentials (Python SDKs, Azure CLI, MSAL libraries) will trigger the O365 tenant enumeration branch — filter by registered application client IDs if known"
level: medium