Detect Network Service Discovery in Microsoft Sentinel
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods include port, vulnerability, and wordlist scans using tools such as nmap, masscan, zmap, CrackMapExec, and custom port scanners. Within cloud environments, adversaries may discover services on other cloud hosts or connected on-premises systems. On macOS, adversaries may leverage Bonjour/mDNSResponder to discover advertised services. Threat actors including Volt Typhoon, APT39, BlackTech, menuPass, FIN13, and ransomware operators like BlackByte routinely perform network service discovery as part of internal reconnaissance before lateral movement.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1046 Network Service Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1046/
KQL Detection Query
let ScanningTools = dynamic([
"nmap", "masscan", "zmap", "netscan", "portscan", "superscan",
"angryip", "advanced_ip_scanner", "advanced ip scanner",
"tcping", "winegddrop", "bluetorch", "snsscan", "nbtscan",
"netdiscover", "unicornscan", "rustscan"
]);
let ScanningCLIPatterns = dynamic([
"-sS", "-sT", "-sU", "-sV", "-sn", "-p ", "--top-ports",
"-A ", "--script", "--open", "-Pn",
"scan", "--rate", "--ports",
"/scan", "/p:"
]);
let NativeScanPatterns = dynamic([
"net view", "net use\\\\", "netstat -an", "netstat -a",
"arp -a", "route print",
"Test-NetConnection", "TNC ", "Test-Connection",
"1..254", "1..65535",
"New-Object Net.Sockets.TcpClient", "System.Net.Sockets"
]);
let ScanningProcesses = dynamic([
"nmap.exe", "masscan.exe", "zmap.exe", "netscan.exe",
"tcping.exe", "superscan.exe", "angryipscan.exe",
"nbtscan.exe", "nbtscan-unixwiz.exe", "winegddrop.exe"
]);
// Branch 1: Known scanning tool execution
let KnownScanners = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanningProcesses)
or (ProcessCommandLine has_any (ScanningTools) and not ProcessCommandLine has_any ("update", "install", "help", "--version"))
| extend DetectionType = "KnownScanningTool"
| extend RiskIndicators = pack_array(
iff(FileName has_any (ScanningProcesses), "KnownScannerBinary", ""),
iff(ProcessCommandLine has "-sS" or ProcessCommandLine has "-sT", "SynOrTcpScan", ""),
iff(ProcessCommandLine has "-sV" or ProcessCommandLine has "--script", "ServiceVersionProbe", ""),
iff(ProcessCommandLine has "-p " or ProcessCommandLine has "--top-ports" or ProcessCommandLine has "--ports", "PortRangeSpecified", "")
);
// Branch 2: Native tool / LOLBin scanning patterns
let NativeScanning = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
and ProcessCommandLine has_any (NativeScanPatterns)
| extend DetectionType = "NativeToolScanning"
| extend RiskIndicators = pack_array(
iff(ProcessCommandLine has "1..254" or ProcessCommandLine has "1..65535", "LoopPortOrHostScan", ""),
iff(ProcessCommandLine has "Net.Sockets", "DotNetSocketScan", ""),
iff(ProcessCommandLine has "Test-NetConnection" or ProcessCommandLine has "TNC ", "TestNetConnection", ""),
iff(ProcessCommandLine has "netstat", "ServiceEnumeration", "")
);
// Combine and enrich
KnownScanners
| union NativeScanning
| extend IsInteractiveUser = AccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend InitiatingContext = strcat(InitiatingProcessFileName, " -> ", FileName)
| project Timestamp, DeviceName, AccountName, AccountDomain,
FileName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingContext,
DetectionType, RiskIndicators, IsInteractiveUser
| sort by Timestamp descDetects network service discovery activity using two parallel branches: (1) execution of known port scanning binaries such as nmap, masscan, tcping, nbtscan, and NetScan; (2) native LOLBin scanning using PowerShell socket connections, Test-NetConnection loops, and netstat enumeration. Covers both external tooling brought onto the system and living-off-the-land techniques favored by threat actors like Volt Typhoon. Uses DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Network engineers and IT administrators running nmap or AngryIP Scanner for authorized network inventory and asset discovery
- Vulnerability management platforms (Nessus, Qualys, Rapid7 InsightVM agents) performing scheduled authenticated scans
- Security operations teams running port scans during authorized penetration tests or purple team exercises
- Monitoring tools using Test-NetConnection or netstat scripts to verify service availability and health checks
- DevOps pipelines performing connectivity checks (Test-NetConnection, TCP client probes) during deployment validation
Other platforms for T1046
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1nmap SYN Scan Against Local Subnet
Expected signal: Sysmon Event ID 1: Process Create with Image ending in nmap.exe, CommandLine containing '-sV -p' and '127.0.0.1'. Sysmon Event ID 3: Multiple network connection events from nmap.exe to 127.0.0.1 on specified ports. Sysmon Event ID 11: File created at %TEMP%\df00tech-nmap-test.txt. Security Event ID 4688 (if process command-line auditing enabled) showing nmap.exe process creation.
- Test 2PowerShell TCP Port Scan via .NET Socket Loop
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.Sockets.TcpClient' and 'Connect'. Sysmon Event ID 3: Multiple network connection events from powershell.exe to 127.0.0.1 on each tested port. PowerShell ScriptBlock Log Event ID 4104 capturing the full socket enumeration script.
- Test 3PowerShell Host Sweep with Test-NetConnection
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '1..5', 'Test-NetConnection', and '-Port 80'. Sysmon Event ID 3: Multiple network connection attempts from powershell.exe to 127.0.0.1 through 127.0.0.5 on port 80. PowerShell ScriptBlock Log Event ID 4104 showing the full ForEach-Object loop.
- Test 4NBTScan NetBIOS Network Discovery
Expected signal: Sysmon Event ID 1: Process Create with Image ending in nbtscan.exe and CommandLine containing a target IP range. Sysmon Event ID 3: UDP connection attempts from nbtscan.exe to target IP on port 137 (NetBIOS Name Service). Security Event ID 4688 with nbtscan.exe process creation if command-line auditing is enabled.
- Test 5Netstat Service Enumeration via CMD
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'netstat -ano' and 'findstr LISTENING'. Sysmon Event ID 11: File created at %TEMP%\df00tech-netstat.txt containing listening service output. Security Event ID 4688 for cmd.exe process if command-line auditing is enabled.
References (12)
- https://attack.mitre.org/techniques/T1046/
- https://nmap.org/book/man.html
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
- https://unit42.paloaltonetworks.com/stately-taurus-toneshell-september-2023/
Unlock Pro Content
Get the full detection package for T1046 including response playbook, investigation guide, and atomic red team tests.