Which SIEM platforms have a T1046 detection rule?

df00tech provides T1046 (Network Service Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Network Service Discovery (T1046)?

Detecting Network Service Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1046 detection?

The T1046 detection is rated medium severity with high confidence.

What are common false positives for T1046?

Common false positives for T1046 include: Network engineers and IT administrators running nmap or AngryIP Scanner for authorized network inventory and asset discovery; Vulnerability management platforms (Nessus, Qualys, Rapid7 InsightVM agents) performing scheduled authenticated scans; Security operations teams running port scans during authorized penetration tests or purple team exercises.

T1046 Elastic Security · Elastic

Detect Network Service Discovery in Elastic Security

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods include port, vulnerability, and wordlist scans using tools such as nmap, masscan, zmap, CrackMapExec, and custom port scanners. Within cloud environments, adversaries may discover services on other cloud hosts or connected on-premises systems. On macOS, adversaries may leverage Bonjour/mDNSResponder to discover advertised services. Threat actors including Volt Typhoon, APT39, BlackTech, menuPass, FIN13, and ransomware operators like BlackByte routinely perform network service discovery as part of internal reconnaissance before lateral movement.

MITRE ATT&CK

Tactic: Discovery
Technique: T1046 Network Service Discovery
Canonical reference: https://attack.mitre.org/techniques/T1046/

Elastic Detection Query

Elastic Security (Elastic)

eql

process where event.type == "start" and
(
  process.name : (
    "nmap.exe", "masscan.exe", "zmap.exe", "netscan.exe", "tcping.exe",
    "superscan.exe", "angryipscan.exe", "nbtscan.exe", "nbtscan-unixwiz.exe",
    "winegddrop.exe", "rustscan", "nmap", "masscan", "zmap",
    "netdiscover", "unicornscan"
  )
  or
  (
    process.name : ("powershell.exe", "pwsh.exe", "cmd.exe")
    and process.command_line : (
      "*test-netconnection*", "*tnc *", "*Net.Sockets.TcpClient*",
      "*System.Net.Sockets*", "*1..254*", "*1..65535*",
      "*netstat -an*", "*netstat -a*", "*arp -a*",
      "*net view*", "*net use\\\\*", "*route print*",
      "*nmap*", "*masscan*", "*portscan*", "*-sS *", "*-sT *",
      "*-sU *", "*-sV *", "*--top-ports*", "*--script*"
    )
    and not process.command_line : (
      "*update*", "*install*", "*--version*", "*-help*", "*get-help*"
    )
  )
  or
  (
    process.name : ("powershell.exe", "pwsh.exe")
    and process.command_line : ("*New-Object Net.Sockets*", "*System.Net.Sockets*")
    and process.command_line : ("*1..254*", "*1..65535*", "*foreach*", "*ForEach-Object*")
  )
)

high severity high confidence

Detects network service discovery via known port-scanning tools (nmap, masscan, zmap, rustscan, etc.) or native LOLBin patterns in PowerShell and cmd.exe, including TCP socket loops, Test-NetConnection enumeration, and netstat/arp usage consistent with internal host and service enumeration. Covers both binary execution and fileless PowerShell scanning constructs.

Data Sources

Elastic Endpoint Security (endpoint agent)Winlogbeat with Sysmon (Event ID 1)Auditbeat process module (Linux)Fleet-managed Elastic Agent

Required Tables

logs-endpoint.events.process-*logs-system.security-*winlogbeat-*

False Positives & Tuning

IT and network operations teams routinely run nmap or Angry IP Scanner for asset inventory and network documentation during scheduled maintenance windows
Security operations and vulnerability management teams use masscan and netscan as part of authorised vulnerability assessment and patch validation workflows
PowerShell-based monitoring scripts using Test-NetConnection or TCP socket checks to verify application service availability and uptime in CI/CD pipelines or runbook automation

Download portable Sigma rule (.yml)

Other platforms for T1046

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1nmap SYN Scan Against Local Subnet
Expected signal: Sysmon Event ID 1: Process Create with Image ending in nmap.exe, CommandLine containing '-sV -p' and '127.0.0.1'. Sysmon Event ID 3: Multiple network connection events from nmap.exe to 127.0.0.1 on specified ports. Sysmon Event ID 11: File created at %TEMP%\df00tech-nmap-test.txt. Security Event ID 4688 (if process command-line auditing enabled) showing nmap.exe process creation.
Test 2PowerShell TCP Port Scan via .NET Socket Loop
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.Sockets.TcpClient' and 'Connect'. Sysmon Event ID 3: Multiple network connection events from powershell.exe to 127.0.0.1 on each tested port. PowerShell ScriptBlock Log Event ID 4104 capturing the full socket enumeration script.
Test 3PowerShell Host Sweep with Test-NetConnection
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '1..5', 'Test-NetConnection', and '-Port 80'. Sysmon Event ID 3: Multiple network connection attempts from powershell.exe to 127.0.0.1 through 127.0.0.5 on port 80. PowerShell ScriptBlock Log Event ID 4104 showing the full ForEach-Object loop.
Test 4NBTScan NetBIOS Network Discovery
Expected signal: Sysmon Event ID 1: Process Create with Image ending in nbtscan.exe and CommandLine containing a target IP range. Sysmon Event ID 3: UDP connection attempts from nbtscan.exe to target IP on port 137 (NetBIOS Name Service). Security Event ID 4688 with nbtscan.exe process creation if command-line auditing is enabled.
Test 5Netstat Service Enumeration via CMD
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'netstat -ano' and 'findstr LISTENING'. Sysmon Event ID 11: File created at %TEMP%\df00tech-netstat.txt containing listening service output. Security Event ID 4688 for cmd.exe process if command-line auditing is enabled.

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1046 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Network Service Discovery in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1046

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1046

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox