title: Search Victim-Owned Websites (T1594)
id: df00tech-t1594
status: experimental
description: "This detection identifies adversary reconnaissance activity targeting victim-owned websites, including automated crawling, directory enumeration, and harvesting of sensitive pages such as robots.txt, sitemap.xml, staff/contact directories, and hidden paths. Because T1594 is a PRE-ATT&CK technique occurring outside the victim network, detection relies on web server access logs, WAF telemetry, and CDN logs ingested into SIEM. Detection focuses on high-volume requests from single source IPs, enumeration of employee/contact pages, known scraping tool user agents, and sequential access patterns indicative of automated reconnaissance tools used by groups like Kimsuky, Volt Typhoon, Silent Librarian, and Sandworm Team."
references:
  - https://attack.mitre.org/techniques/T1594/
  - https://df00tech.com/detections/T1594
author: df00tech
date: 2026/03/19
tags:
  - attack.t1594
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) with high request volumes — filter by known crawler IP ranges and UA strings"
  - Authorized penetration testing or red team engagements scheduled by the organization — cross-reference with change management records
  - Web archiving services such as archive.org (Internet Archive) performing scheduled snapshots
  - "SEO audit tools used by the marketing team (Screaming Frog, Ahrefs, SEMrush bots)"
  - "Load testing tools (Apache JMeter, k6, Locust) run by the engineering team generating high 404 rates"
level: medium