title: WHOIS (T1596.002)
id: df00tech-t1596-002
status: experimental
description: "Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. Adversaries use WHOIS data to gather actionable information — identifying IP block ownership, registrant contact details, registrar and DNS nameserver relationships, and historical registration patterns. Information from these sources may reveal opportunities for other forms of reconnaissance (Active Scanning, Phishing for Information), establishing operational resources (Acquire Infrastructure, Compromise Infrastructure), and initial access (External Remote Services, Trusted Relationship). Because WHOIS is a public service queried outside the victim environment, direct detection requires monitoring for the downstream artifacts of the technique: WHOIS tool execution on a compromised host, outbound TCP port 43 connections, or scripted queries to WHOIS REST/RDAP APIs."
references:
  - https://attack.mitre.org/techniques/T1596/002/
  - https://df00tech.com/detections/T1596.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1596.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - SOC analysts and threat intelligence teams using whois.exe or PowerShell RDAP queries during legitimate domain investigations or incident response
  - "IT administrators querying WHOIS to verify domain registration details, expiry dates, or registrar contact information for corporate domains"
  - "Security scanning platforms (Qualys, Tenable, Rapid7) and OSINT automation pipelines that incorporate WHOIS lookups as part of asset inventory or attack surface management"
  - CI/CD pipelines or infrastructure-as-code scripts that verify domain ownership or nameserver configuration during deployment validation
  - Authorized red team and penetration testing engagements performing pre-attack reconnaissance against the organization
level: low