T1046

Network Service Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods include port, vulnerability, and wordlist scans using tools such as nmap, masscan, zmap, CrackMapExec, and custom port scanners. Within cloud environments, adversaries may discover services on other cloud hosts or connected on-premises systems. On macOS, adversaries may leverage Bonjour/mDNSResponder to discover advertised services. Threat actors including Volt Typhoon, APT39, BlackTech, menuPass, FIN13, and ransomware operators like BlackByte routinely perform network service discovery as part of internal reconnaissance before lateral movement.

Microsoft Sentinel / Defender

kusto

let ScanningTools = dynamic([
  "nmap", "masscan", "zmap", "netscan", "portscan", "superscan",
  "angryip", "advanced_ip_scanner", "advanced ip scanner",
  "tcping", "winegddrop", "bluetorch", "snsscan", "nbtscan",
  "netdiscover", "unicornscan", "rustscan"
]);
let ScanningCLIPatterns = dynamic([
  "-sS", "-sT", "-sU", "-sV", "-sn", "-p ", "--top-ports",
  "-A ", "--script", "--open", "-Pn",
  "scan", "--rate", "--ports",
  "/scan", "/p:"
]);
let NativeScanPatterns = dynamic([
  "net view", "net use\\\\", "netstat -an", "netstat -a",
  "arp -a", "route print",
  "Test-NetConnection", "TNC ", "Test-Connection",
  "1..254", "1..65535",
  "New-Object Net.Sockets.TcpClient", "System.Net.Sockets"
]);
let ScanningProcesses = dynamic([
  "nmap.exe", "masscan.exe", "zmap.exe", "netscan.exe",
  "tcping.exe", "superscan.exe", "angryipscan.exe",
  "nbtscan.exe", "nbtscan-unixwiz.exe", "winegddrop.exe"
]);
// Branch 1: Known scanning tool execution
let KnownScanners = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanningProcesses)
    or (ProcessCommandLine has_any (ScanningTools) and not ProcessCommandLine has_any ("update", "install", "help", "--version"))
| extend DetectionType = "KnownScanningTool"
| extend RiskIndicators = pack_array(
    iff(FileName has_any (ScanningProcesses), "KnownScannerBinary", ""),
    iff(ProcessCommandLine has "-sS" or ProcessCommandLine has "-sT", "SynOrTcpScan", ""),
    iff(ProcessCommandLine has "-sV" or ProcessCommandLine has "--script", "ServiceVersionProbe", ""),
    iff(ProcessCommandLine has "-p " or ProcessCommandLine has "--top-ports" or ProcessCommandLine has "--ports", "PortRangeSpecified", "")
  );
// Branch 2: Native tool / LOLBin scanning patterns
let NativeScanning = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
    and ProcessCommandLine has_any (NativeScanPatterns)
| extend DetectionType = "NativeToolScanning"
| extend RiskIndicators = pack_array(
    iff(ProcessCommandLine has "1..254" or ProcessCommandLine has "1..65535", "LoopPortOrHostScan", ""),
    iff(ProcessCommandLine has "Net.Sockets", "DotNetSocketScan", ""),
    iff(ProcessCommandLine has "Test-NetConnection" or ProcessCommandLine has "TNC ", "TestNetConnection", ""),
    iff(ProcessCommandLine has "netstat", "ServiceEnumeration", "")
  );
// Combine and enrich
KnownScanners
| union NativeScanning
| extend IsInteractiveUser = AccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend InitiatingContext = strcat(InitiatingProcessFileName, " -> ", FileName)
| project Timestamp, DeviceName, AccountName, AccountDomain,
         FileName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, InitiatingContext,
         DetectionType, RiskIndicators, IsInteractiveUser
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Network engineers and IT administrators running nmap or AngryIP Scanner for authorized network inventory and asset discovery
Vulnerability management platforms (Nessus, Qualys, Rapid7 InsightVM agents) performing scheduled authenticated scans
Security operations teams running port scans during authorized penetration tests or purple team exercises
Monitoring tools using Test-NetConnection or netstat scripts to verify service availability and health checks
DevOps pipelines performing connectivity checks (Test-NetConnection, TCP client probes) during deployment validation

Splunk

spl

index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
(
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\zmap.exe" OR Image="*\\tcping.exe"
     OR Image="*\\netscan.exe" OR Image="*\\superscan.exe" OR Image="*\\nbtscan.exe"
     OR Image="*\\angryipscan.exe" OR Image="*\\winegddrop.exe")
  | return 10000 _raw]
)
OR
(
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe")
    (CommandLine="*test-netconnection*" OR CommandLine="*tnc *" OR CommandLine="*net.sockets*"
     OR CommandLine="*1..254*" OR CommandLine="*1..65535*" OR CommandLine="*netstat*"
     OR CommandLine="*arp -a*" OR CommandLine="*net view*")
  | return 10000 _raw]
)
| eval KnownScanner=if(match(ImageLower, "(nmap|masscan|zmap|tcping|netscan|superscan|nbtscan|angryipscan|winegddrop)"), 1, 0)
| eval NativeScan=if(match(CommandLineLower, "(test-netconnection|\btnc\b|net\.sockets|1\.\.254|1\.\.65535|netstat\s+-an|arp\s+-a|net\s+view)"), 1, 0)
| eval PortRangeFlag=if(match(CommandLineLower, "(-p\s+|--top-ports|--ports|/p:)"), 1, 0)
| eval ServiceVersionProbe=if(match(CommandLineLower, "(-sv|--script|--open|-a\s)"), 1, 0)
| eval SuspicionScore=KnownScanner + NativeScan + PortRangeFlag + ServiceVersionProbe
| where SuspicionScore > 0
| eval DetectionType=case(
    KnownScanner=1, "KnownScanningTool",
    NativeScan=1, "NativeToolScanning",
    1=1, "PortScanPattern"
  )
| eval User=coalesce(User, SubjectUserName)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        KnownScanner, NativeScan, PortRangeFlag, ServiceVersionProbe, SuspicionScore, DetectionType
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Network engineers and IT administrators running authorized scanning tools for asset inventory
Vulnerability scanners (Nessus, Qualys) running scheduled authenticated scans from designated scan hosts
Security teams conducting authorized penetration tests or red team exercises
Monitoring and observability tooling using Test-NetConnection or socket tests for availability checks
IT automation scripts using netstat or arp to validate network configuration during deployments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicetime AS DeviceTime,
  sourceip AS SourceIP,
  username AS UserName,
  "LOGSOURCENAME"(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(category) AS CategoryName,
  "UTF8"(payload) AS RawPayload
FROM events
WHERE
  starttime > DATEADD('hour', -24, now())
  AND (
    LOGSOURCETYPEID = 12    /* Microsoft Windows Security Event Log */
    OR LOGSOURCETYPEID = 352  /* Microsoft Sysmon */
    OR LOGSOURCETYPEID = 380  /* Universal DSM / Windows Forwarded Events */
  )
  AND (
    /* Known scanning tool binaries in process image path */
    payload ILIKE '%\nmap.exe%'
    OR payload ILIKE '%\masscan.exe%'
    OR payload ILIKE '%\zmap.exe%'
    OR payload ILIKE '%\netscan.exe%'
    OR payload ILIKE '%\tcping.exe%'
    OR payload ILIKE '%\superscan.exe%'
    OR payload ILIKE '%\angryipscan.exe%'
    OR payload ILIKE '%\nbtscan.exe%'
    OR payload ILIKE '%\winegddrop.exe%'
    OR payload ILIKE '%\rustscan%'
    OR payload ILIKE '%\netdiscover%'
    OR (
      /* Native LOLBin scanning patterns in PowerShell / cmd */
      (
        payload ILIKE '%powershell%'
        OR payload ILIKE '%pwsh%'
        OR payload ILIKE '%cmd.exe%'
      )
      AND (
        payload ILIKE '%test-netconnection%'
        OR payload ILIKE '%New-Object Net.Sockets%'
        OR payload ILIKE '%System.Net.Sockets%'
        OR payload ILIKE '%1..254%'
        OR payload ILIKE '%1..65535%'
        OR payload ILIKE '%netstat -an%'
        OR payload ILIKE '%netstat -a%'
        OR payload ILIKE '%arp -a%'
        OR payload ILIKE '%net view%'
        OR payload ILIKE '%route print%'
      )
    )
  )
  /* Exclude known-benign administrative account noise */
  AND username NOT ILIKE '%$'
ORDER BY starttime DESC
LIMIT 500

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (Event ID 4688 — process creation with command line auditing enabled) Microsoft Sysmon (Event ID 1 — ProcessCreate) Windows Forwarded Events via WEF

Required Tables

events

False Positives

Network engineers using nmap or tcping for legitimate circuit testing, latency checks, or firewall rule validation on managed infrastructure segments
SOC analysts running authorised internal red team or purple team exercises using masscan or nmap on isolated lab segments with change-ticket approval
Automated infrastructure-as-code tooling (Ansible, Terraform health checks, Nagios) that invokes netstat or Test-NetConnection to verify service states after deployments

Sumo Logic CSE

sql

(_sourceCategory=*Windows/Sysmon* OR _sourceCategory=*WinEventLog/Security* OR _sourceCategory=*windows/security*)
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmdline nodrop
| parse field=Image "*" as image_path nodrop
| parse field=NewProcessName "*" as image_path2 nodrop
| eval image_path = if(isNull(image_path), image_path2, image_path)
| eval cmdline_lower = toLowerCase(cmdline)
| eval image_lower = toLowerCase(image_path)
/* Flag known scanning tool binaries */
| eval known_scanner = if(
    matches(image_lower, ".*(nmap\.exe|masscan\.exe|zmap\.exe|netscan\.exe|tcping\.exe|superscan\.exe|nbtscan\.exe|angryipscan\.exe|winegddrop\.exe|rustscan|netdiscover|unicornscan).*"),
    1, 0
  )
/* Flag native LOLBin scanning in PowerShell/cmd */
| eval native_scan = if(
    matches(image_lower, ".*(powershell\.exe|pwsh\.exe|cmd\.exe).*")
    AND matches(cmdline_lower, ".*(test-netconnection|tnc\s|net\.sockets|1\.\.254|1\.\.65535|netstat\s+-a|arp\s+-a|net\s+view|net\s+use\\\\|route\s+print).*"),
    1, 0
  )
/* Flag port range or scan-flag arguments */
| eval port_range = if(
    matches(cmdline_lower, ".*(-p\s+|--top-ports|--ports|/p:|--rate).*"),
    1, 0
  )
/* Flag service version or aggressive scan flags */
| eval service_version = if(
    matches(cmdline_lower, ".*(-sv|-ss|-st|-su|-sn|--script|--open|-pn).*"),
    1, 0
  )
| eval suspicion_score = known_scanner + native_scan + port_range + service_version
| where suspicion_score > 0
| eval detection_type = if(known_scanner = 1, "KnownScanningTool",
    if(native_scan = 1, "NativeToolScanning", "PortScanPattern")
  )
| eval user = if(isNull(User), SubjectUserName, User)
| eval parent_image = if(isNull(ParentImage), ParentProcessName, ParentImage)
/* Exclude machine accounts */
| where !matches(user, ".*\$")
| fields _time, host, user, image_path, cmdline, parent_image,
         known_scanner, native_scan, port_range, service_version,
         suspicion_score, detection_type
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Security, Sysmon/Operational) Sumo Logic Cloud Syslog via Windows Event Forwarding Sumo Logic Cloud-to-Cloud Microsoft Windows Event Log source

Required Tables

_sourceCategory=*Windows/Sysmon* _sourceCategory=*WinEventLog/Security*

False Positives

Security tooling such as Tenable Nessus, Rapid7 InsightVM, or Qualys agents may spawn nmap or custom port scanners as part of authenticated credentialed network scan jobs
DevOps pipelines using PowerShell Test-NetConnection or custom TCP health-check scripts to verify dependent service availability across microservice environments before deployment gates
IT helpdesk staff troubleshooting network connectivity issues using built-in Windows tools such as netstat, arp, and route print from interactive desktop sessions

Google Chronicle / SecOps

yaral

rule t1046_network_service_discovery {
  meta:
    author = "Detection Engineering — Argus Platform"
    description = "Detects network service discovery via known scanning tool execution or native LOLBin port-scan patterns consistent with internal reconnaissance before lateral movement"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1046"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1046/"
    severity = "HIGH"
    priority = "HIGH"
    created = "2026-04-17"
    confidence = "HIGH"
    threat_actors = "Volt Typhoon, APT39, BlackTech, menuPass, FIN13, BlackByte ransomware"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      /* Branch 1: Known scanning tool binary execution */
      re.regex(
        $e.target.process.file.full_path,
        `(?i)(nmap\.exe|masscan\.exe|zmap\.exe|netscan\.exe|tcping\.exe|superscan\.exe|angryipscan\.exe|nbtscan\.exe|nbtscan-unixwiz\.exe|winegddrop\.exe|rustscan|netdiscover|unicornscan)`
      )
      or
      /* Branch 2: Native LOLBin with scanning CLI patterns */
      (
        re.regex(
          $e.target.process.file.full_path,
          `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe)`
        )
        and re.regex(
          $e.target.process.command_line,
          `(?i)(test-netconnection|tnc\s|[Nn]et\.Sockets\.TcpClient|System\.Net\.Sockets|1\.\.254|1\.\.65535|netstat\s+-a|arp\s+-a|net\s+view|net\s+use\\\\|route\s+print|new-object\s+net\.sockets)`
        )
      )
      or
      /* Branch 3: Scanning CLI flags in any process */
      (
        re.regex(
          $e.target.process.command_line,
          `(\s-sS\s|\s-sT\s|\s-sU\s|\s-sV\s|\s-sn\s|--top-ports|--script\s|--rate\s|\s-Pn\s|\s-p\s[0-9])`
        )
        and not re.regex(
          $e.target.process.command_line,
          `(?i)(--version|--help|install|update|man\s)`
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM via Bindplane/Chronicle Forwarder ingesting Windows Sysmon (Event ID 1) Chronicle Endpoint Detection and Response telemetry Windows Event Logs forwarded to Chronicle via Chronicle Forwarder or ingestion API

Required Tables

UDM Event type PROCESS_LAUNCH target.process.file.full_path target.process.command_line principal.hostname

False Positives

Authorised red team or penetration testing engagements where nmap or masscan is executed from a designated attack host — these should be excluded by principal.hostname allowlist or time-window suppression tied to the engagement change record
Network monitoring daemons or SNMP discovery services that spawn short-lived processes with port-probe arguments as part of scheduled topology mapping
System administrators using PowerShell remoting health-check scripts that iterate IP ranges with Test-NetConnection to validate network segmentation rules after firewall changes

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| eval FileName_lower=lower(FileName)
| eval CommandLine_lower=lower(CommandLine)
/* Flag known scanning tool binaries */
| eval KnownScanner=if(
    FileName_lower=~"(nmap\.exe|masscan\.exe|zmap\.exe|netscan\.exe|tcping\.exe|superscan\.exe|angryipscan\.exe|nbtscan\.exe|nbtscan-unixwiz\.exe|winegddrop\.exe|rustscan|netdiscover|unicornscan)",
    "true", "false"
  )
/* Flag native LOLBin scanning patterns */
| eval NativeScan=if(
    FileName_lower=~"(powershell\.exe|pwsh\.exe|cmd\.exe)"
    AND CommandLine_lower=~"(test-netconnection|tnc |net\.sockets|1\.\.254|1\.\.65535|netstat -a|arp -a|net view|net use\\\\|route print|new-object net\.sockets)",
    "true", "false"
  )
/* Flag scan-specific flags and port range arguments */
| eval PortScanFlags=if(
    CommandLine_lower=~"( -ss | -st | -su | -sv | -sn | -pn |--top-ports|--script |--rate |--ports | -p [0-9])",
    "true", "false"
  )
/* Exclude known-benign invocations */
| eval ScanExclude=if(
    CommandLine_lower=~"(--version|--help|-h |install|update|get-help)",
    "true", "false"
  )
| where (KnownScanner="true" OR NativeScan="true" OR PortScanFlags="true")
    AND ScanExclude!="true"
| eval DetectionType=case(
    KnownScanner="true", "KnownScanningTool",
    NativeScan="true", "NativeToolScanning",
    PortScanFlags="true", "PortScanFlags",
    true(), "Unknown"
  )
| eval SuspicionScore=if(KnownScanner="true",1,0)+if(NativeScan="true",1,0)+if(PortScanFlags="true",1,0)
| table
    @timestamp, ComputerName, UserName,
    FileName, CommandLine,
    ParentBaseFileName, ParentCommandLine,
    KnownScanner, NativeScan, PortScanFlags,
    SuspicionScore, DetectionType
| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor telemetry — ProcessRollup2 events via Falcon Data Replicator (FDR) or Falcon LogScale Collector Falcon Insight XDR process execution telemetry

Required Tables

#event_simpleName=ProcessRollup2 FileName CommandLine ParentBaseFileName UserName ComputerName

False Positives

CrowdStrike Spotlight or third-party EDR/vulnerability scanner integrations that call nmap or masscan via the Falcon RTR response interface during authorised host assessment workflows
IT operations teams using PowerShell scripts with Test-NetConnection or New-Object Net.Sockets loops to build network dependency maps or validate ACLs after infrastructure changes
Scheduled task or service account automation that runs netstat, arp -a, or route print as part of daily inventory collection feeding a CMDB or IPAM solution

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1046 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Network Service Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections