T1046 Splunk · SPL

Detect Network Service Discovery in Splunk

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods include port, vulnerability, and wordlist scans using tools such as nmap, masscan, zmap, CrackMapExec, and custom port scanners. Within cloud environments, adversaries may discover services on other cloud hosts or connected on-premises systems. On macOS, adversaries may leverage Bonjour/mDNSResponder to discover advertised services. Threat actors including Volt Typhoon, APT39, BlackTech, menuPass, FIN13, and ransomware operators like BlackByte routinely perform network service discovery as part of internal reconnaissance before lateral movement.

MITRE ATT&CK

Tactic
Discovery
Technique
T1046 Network Service Discovery
Canonical reference
https://attack.mitre.org/techniques/T1046/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
  OR
  (sourcetype="WinEventLog:Security" EventCode=4688)
)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
(
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\zmap.exe" OR Image="*\\tcping.exe"
     OR Image="*\\netscan.exe" OR Image="*\\superscan.exe" OR Image="*\\nbtscan.exe"
     OR Image="*\\angryipscan.exe" OR Image="*\\winegddrop.exe")
  | return 10000 _raw]
)
OR
(
  [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe")
    (CommandLine="*test-netconnection*" OR CommandLine="*tnc *" OR CommandLine="*net.sockets*"
     OR CommandLine="*1..254*" OR CommandLine="*1..65535*" OR CommandLine="*netstat*"
     OR CommandLine="*arp -a*" OR CommandLine="*net view*")
  | return 10000 _raw]
)
| eval KnownScanner=if(match(ImageLower, "(nmap|masscan|zmap|tcping|netscan|superscan|nbtscan|angryipscan|winegddrop)"), 1, 0)
| eval NativeScan=if(match(CommandLineLower, "(test-netconnection|\btnc\b|net\.sockets|1\.\.254|1\.\.65535|netstat\s+-an|arp\s+-a|net\s+view)"), 1, 0)
| eval PortRangeFlag=if(match(CommandLineLower, "(-p\s+|--top-ports|--ports|/p:)"), 1, 0)
| eval ServiceVersionProbe=if(match(CommandLineLower, "(-sv|--script|--open|-a\s)"), 1, 0)
| eval SuspicionScore=KnownScanner + NativeScan + PortRangeFlag + ServiceVersionProbe
| where SuspicionScore > 0
| eval DetectionType=case(
    KnownScanner=1, "KnownScanningTool",
    NativeScan=1, "NativeToolScanning",
    1=1, "PortScanPattern"
  )
| eval User=coalesce(User, SubjectUserName)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        KnownScanner, NativeScan, PortRangeFlag, ServiceVersionProbe, SuspicionScore, DetectionType
| sort - _time
medium severity high confidence

Detects network service discovery using Sysmon Event ID 1 (Process Creation) via two detection branches: known scanning tool binaries (nmap, masscan, tcping, NetScan, etc.) and native LOLBin scanning via PowerShell (Test-NetConnection, socket loops, netstat). Assigns a cumulative suspicion score across four indicator categories. Covers both Security Event ID 4688 and Sysmon for environments with varying log collection coverage.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Network engineers and IT administrators running authorized scanning tools for asset inventory
  • Vulnerability scanners (Nessus, Qualys) running scheduled authenticated scans from designated scan hosts
  • Security teams conducting authorized penetration tests or red team exercises
  • Monitoring and observability tooling using Test-NetConnection or socket tests for availability checks
  • IT automation scripts using netstat or arp to validate network configuration during deployments
Download portable Sigma rule (.yml)

Other platforms for T1046

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1nmap SYN Scan Against Local Subnet

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in nmap.exe, CommandLine containing '-sV -p' and '127.0.0.1'. Sysmon Event ID 3: Multiple network connection events from nmap.exe to 127.0.0.1 on specified ports. Sysmon Event ID 11: File created at %TEMP%\df00tech-nmap-test.txt. Security Event ID 4688 (if process command-line auditing enabled) showing nmap.exe process creation.

  2. Test 2PowerShell TCP Port Scan via .NET Socket Loop

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.Sockets.TcpClient' and 'Connect'. Sysmon Event ID 3: Multiple network connection events from powershell.exe to 127.0.0.1 on each tested port. PowerShell ScriptBlock Log Event ID 4104 capturing the full socket enumeration script.

  3. Test 3PowerShell Host Sweep with Test-NetConnection

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing '1..5', 'Test-NetConnection', and '-Port 80'. Sysmon Event ID 3: Multiple network connection attempts from powershell.exe to 127.0.0.1 through 127.0.0.5 on port 80. PowerShell ScriptBlock Log Event ID 4104 showing the full ForEach-Object loop.

  4. Test 4NBTScan NetBIOS Network Discovery

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in nbtscan.exe and CommandLine containing a target IP range. Sysmon Event ID 3: UDP connection attempts from nbtscan.exe to target IP on port 137 (NetBIOS Name Service). Security Event ID 4688 with nbtscan.exe process creation if command-line auditing is enabled.

  5. Test 5Netstat Service Enumeration via CMD

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'netstat -ano' and 'findstr LISTENING'. Sysmon Event ID 11: File created at %TEMP%\df00tech-netstat.txt containing listening service output. Security Event ID 4688 for cmd.exe process if command-line auditing is enabled.

Last updated: 2026-04-17 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1046 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1018Remote System DiscoveryT1049System Network Connections DiscoveryT1016System Network Configuration DiscoveryT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.006Windows Remote ManagementT1110.003Password SprayingT1190Exploit Public-Facing Application

Same Tactic: Discovery

Popular Detections