T1590 Gather Victim Network Information Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let NetworkReconTools = dynamic(["nmap", "masscan", "zmap", "lansweeper", "angryip", "fping", "nbtscan", "netdiscover", "unicornscan", "dnsenum", "dnsrecon", "fierce", "sublist3r", "amass", "theharvester", "advanced_port_scanner", "advanced ip scanner"]);
let DnsReconPatterns = dynamic(["axfr", "AXFR", "zone-transfer", "zone transfer", "-t ANY", "ls -d"]);
let NetworkCmdRecon = dynamic(["ipconfig /all", "nslookup", "arp -a", "netstat -ano", "route print", "net view", "nltest /dclist", "nltest /domain_trusts"]);
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where (
    FileName has_any (NetworkReconTools)
    or ProcessVersionInfoOriginalFileName has_any (NetworkReconTools)
    or ProcessCommandLine has_any (NetworkReconTools)
    or ProcessCommandLine has_any (DnsReconPatterns)
    or (FileName in~ ("nslookup.exe", "dig.exe", "host.exe") and ProcessCommandLine has_any (DnsReconPatterns))
    or (FileName in~ ("nltest.exe") and ProcessCommandLine has_any ("/dclist", "/domain_trusts", "/trusted_domains", "/dsgetdc"))
)
| extend ReconCategory = case(
    ProcessCommandLine has_any ("nmap", "masscan", "zmap", "fping", "nbtscan"), "PortHostScanning",
    ProcessCommandLine has_any ("dnsenum", "dnsrecon", "fierce", "axfr", "AXFR", "zone-transfer"), "DNSEnumeration",
    ProcessCommandLine has_any ("lansweeper", "advanced_port_scanner", "angryip", "netdiscover"), "NetworkDiscoveryTool",
    ProcessCommandLine has_any ("/dclist", "/domain_trusts", "/trusted_domains"), "DomainTrustEnumeration",
    "GeneralNetworkRecon")
| extend SuspicionScore = case(
    ReconCategory == "PortHostScanning", 90,
    ReconCategory == "DNSEnumeration", 85,
    ReconCategory == "NetworkDiscoveryTool", 80,
    ReconCategory == "DomainTrustEnumeration", 70,
    50)
| project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ReconCategory, SuspicionScore
| order by SuspicionScore desc, TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate network administrators running nmap or Advanced IP Scanner for asset inventory or troubleshooting
IT operations teams using Lansweeper or similar tools for scheduled network discovery and CMDB updates
DNS administrators performing authoritative zone transfers between primaries and secondaries as part of normal operations
Security teams running authorized vulnerability scans or penetration tests using tools like nmap or masscan
nltest calls from legitimate domain join operations, group policy processing, or identity management tools

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
| eval CommandLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval ReconCategory=case(
    match(CommandLower, "nmap|masscan|zmap|fping|nbtscan|unicornscan"), "PortHostScanning",
    match(CommandLower, "dnsrecon|dnsenum|fierce|axfr|zone.transfer|\.transfer"), "DNSEnumeration",
    match(CommandLower, "lansweeper|advanced.port.scanner|angryip|netdiscover|advanced_port"), "NetworkDiscoveryTool",
    match(CommandLower, "\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc") AND match(ImageLower, "nltest"), "DomainTrustEnumeration",
    match(ImageLower, "nmap\.exe|masscan\.exe|lansweeper\.exe|dnsrecon\.py|fierce\.py"), "KnownReconBinary",
    true(), null())
| where isnotnull(ReconCategory)
| eval SuspicionScore=case(
    ReconCategory="PortHostScanning", 90,
    ReconCategory="DNSEnumeration", 85,
    ReconCategory="NetworkDiscoveryTool", 80,
    ReconCategory="DomainTrustEnumeration", 70,
    ReconCategory="KnownReconBinary", 75,
    50)
| eval ParentImageShort=mvindex(split(ParentImage, "\\"), -1)
| table _time, host, User, Image, CommandLine, ParentImage, ParentImageShort, ReconCategory, SuspicionScore
| sort -SuspicionScore -_time

medium severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network administrators running legitimate scans using nmap, masscan, or equivalent tools during maintenance windows
Lansweeper, SolarWinds, or other CMDB/network management platforms performing scheduled network discovery
DNS replication between authoritative nameservers generating AXFR traffic visible in process logs
Penetration test engagements where the security team is running authorized reconnaissance tools
Automated IT asset discovery agents that use port scanning or DNS queries as part of normal inventory workflows

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name : ("nmap", "nmap.exe", "masscan", "masscan.exe", "zmap", "zmap.exe", "fping", "fping.exe", "nbtscan", "nbtscan.exe", "unicornscan", "dnsenum", "dnsenum.py", "dnsrecon", "dnsrecon.py", "fierce", "fierce.py", "sublist3r", "amass", "theharvester", "lansweeper", "lansweeper.exe", "netdiscover", "angryip", "advanced_port_scanner.exe") or
  process.args : ("axfr", "AXFR", "zone-transfer", "-t ANY", "ls -d") or
  (
    process.name : ("nltest.exe") and
    process.args : ("/dclist*", "/domain_trusts", "/trusted_domains", "/dsgetdc")
  ) or
  (
    process.name : ("nslookup.exe", "dig", "dig.exe", "host", "host.exe") and
    process.args : ("axfr", "AXFR", "zone-transfer", "ANY")
  )
)

high severity medium confidence

Data Sources

Elastic Endpoint Security Auditbeat (Linux process events) Winlogbeat with Sysmon (EventID 1) Elastic Agent endpoint integration

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-* auditbeat-*

False Positives

Authorized red team or penetration testing engagements using nmap, masscan, or dnsrecon against internal ranges — correlate with change ticket or pentest window
Network operations teams running Lansweeper or Advanced IP Scanner for legitimate asset inventory and network documentation purposes
Security operations or IT engineers running nltest for Active Directory troubleshooting, domain trust validation, or DC discovery in large enterprise environments
Vulnerability management scanners (Tenable Nessus, Qualys) invoking nmap as a subprocess during authenticated scan pipelines
DNS administrators performing authorized zone transfer tests or AXFR validation between primary and secondary authoritative name servers

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Command") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*' THEN 'PortHostScanning'
    WHEN LOWER("Command") MATCHES '.*dnsrecon.*|.*dnsenum.*|.*fierce.*|.*axfr.*|.*zone.transfer.*|.*zone-transfer.*' THEN 'DNSEnumeration'
    WHEN LOWER("Command") MATCHES '.*lansweeper.*|.*advanced.port.scanner.*|.*angryip.*|.*netdiscover.*|.*advanced_port_scanner.*' THEN 'NetworkDiscoveryTool'
    WHEN LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*' THEN 'DomainTrustEnumeration'
    ELSE 'KnownReconBinary'
  END AS ReconCategory,
  CASE
    WHEN LOWER("Command") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*' THEN 90
    WHEN LOWER("Command") MATCHES '.*dnsrecon.*|.*dnsenum.*|.*fierce.*|.*axfr.*|.*zone.transfer.*' THEN 85
    WHEN LOWER("Command") MATCHES '.*lansweeper.*|.*advanced.port.scanner.*|.*angryip.*|.*netdiscover.*' THEN 80
    WHEN LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*' THEN 70
    ELSE 75
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon', 'Linux OS')
  AND (
    LOWER("Process Name") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*|.*dnsenum.*|.*dnsrecon.*|.*fierce.*|.*lansweeper.*|.*netdiscover.*|.*amass.*|.*sublist3r.*|.*theharvester.*|.*angryip.*'
    OR LOWER("Command") MATCHES '.*axfr.*|.*zone.transfer.*|.*zone-transfer.*|.*/dclist.*|.*/domain_trusts.*|.*/dsgetdc.*|.*/trusted_domains.*|.*-t any.*'
    OR (
      LOWER("Process Name") MATCHES '.*nltest.*'
      AND LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY SuspicionScore DESC, starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with process command line auditing enabled) Microsoft Sysmon (EventID 1) Linux OS auditd process execution events QRadar DSM for Windows and Sysmon

Required Tables

events

False Positives

Authorized penetration testing or red team engagements — correlate with scheduled maintenance windows and source IP allowlists in QRadar reference sets
IT asset inventory tools such as Lansweeper or PDQ Inventory running under service accounts on scheduled scan intervals
Network administrators executing nltest commands for routine Active Directory health checks, domain controller discovery, or trust relationship validation
Vulnerability management infrastructure where nmap is invoked as a subprocess by scanning platforms (Tenable, Qualys, Rapid7)
DNS administrators running dig with AXFR for zone replication health verification between authoritative servers

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where (sourceName = "Microsoft-Windows-Sysmon/Operational" AND EventCode = 1) OR EventCode = 4688
| parse field=CommandLine "*" as commandline nodrop
| parse field=Image "*" as imagepath nodrop
| if (isNull(commandline), "", toLowerCase(commandline)) as commandlower
| if (isNull(imagepath), "", toLowerCase(imagepath)) as imagelower
| eval ReconCategory = if(matches(commandlower, "nmap|masscan|zmap|fping|nbtscan|unicornscan"), "PortHostScanning",
    if(matches(commandlower, "dnsrecon|dnsenum|fierce|axfr|zone.transfer|zone-transfer"), "DNSEnumeration",
    if(matches(commandlower, "lansweeper|advanced.port.scanner|angryip|netdiscover|advanced_port_scanner"), "NetworkDiscoveryTool",
    if(matches(commandlower, "/dclist|/domain_trusts|/trusted_domains|/dsgetdc") AND matches(imagelower, "nltest"), "DomainTrustEnumeration",
    if(matches(imagelower, "nmap\.exe|masscan\.exe|lansweeper\.exe|dnsrecon|fierce|dnsenum|zmap\.exe|nbtscan\.exe|amass\.exe|sublist3r|theharvester"), "KnownReconBinary", null())))))
| where !isNull(ReconCategory)
| eval SuspicionScore = if(ReconCategory = "PortHostScanning", 90,
    if(ReconCategory = "DNSEnumeration", 85,
    if(ReconCategory = "NetworkDiscoveryTool", 80,
    if(ReconCategory = "DomainTrustEnumeration", 70,
    if(ReconCategory = "KnownReconBinary", 75, 50)))))
| parse field=imagepath "*\\*" as imagedir, imagefilename nodrop
| parse field=ParentImage "*\\*" as parentdir, parentfilename nodrop
| fields _messageTime, Computer, User, Image, imagefilename, CommandLine, ParentImage, parentfilename, ReconCategory, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log source (Sysmon EventID 1) Sumo Logic Installed Collector with Windows Security Event Log (EventID 4688 — requires process command line auditing via GPO) Sumo Logic Cloud SIEM Enterprise (CSE) with normalized Windows endpoint events

Required Tables

_sourceCategory (Sumo Logic partition/index routing, not a table) Sysmon Operational log via Installed Collector Windows Security EventLog via Installed Collector

False Positives

Authorized penetration testing exercises — scope by Computer field against an allowlist of sanctioned scan hosts and correlate with change management tickets
Legitimate network asset management tools (Lansweeper, SolarWinds Network Discovery) running under scheduled service accounts on designated scanner hosts
System administrators running nltest or nslookup as part of routine Active Directory diagnostics, LDAP connectivity testing, or domain join troubleshooting procedures
Vulnerability management agents invoking nmap subprocess calls during authenticated network scanning windows
DevOps or CI/CD pipelines in test environments running network connectivity checks using nmap or fping as part of infrastructure validation scripts

Google Chronicle / SecOps

yaral

rule t1590_gather_victim_network_information {
  meta:
    author = "Detection Engineering"
    description = "Detects adversary network reconnaissance activity targeting victim network information consistent with MITRE ATT&CK T1590. Identifies execution of known port/host scanning tools, DNS zone transfer enumeration, internal network discovery utilities, and domain trust enumeration via nltest. Observed in Volt Typhoon, HAFNIUM, and Indrik Spider intrusion sets."
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590"
    mitre_attack_technique_name = "Gather Victim Network Information"
    severity = "HIGH"
    confidence = "MEDIUM"
    rule_version = "1.0"
    created = "2026-04-14"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|unicornscan|dnsenum\.py|dnsrecon\.py|fierce\.py|sublist3r|amass\.exe|theharvester|lansweeper\.exe|netdiscover|angryip|advanced_port_scanner\.exe)`) or
      re.regex($e.target.process.command_line,
        `(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass|theharvester|lansweeper|netdiscover|angryip|advanced.port.scanner|axfr|zone-transfer|zone\s+transfer|\-t\s+any)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)nltest\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(nslookup\.exe|dig\.exe|host\.exe)`) and
        re.regex($e.target.process.command_line, `(?i)(axfr|AXFR|zone-transfer|\-t\s+any)`)
      )
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan)`), 90,
        if(
          re.regex($e.target.process.command_line, `(?i)(dnsrecon|dnsenum|fierce|axfr|zone.transfer)`), 85,
          if(
            re.regex($e.target.process.command_line, `(?i)(lansweeper|advanced.port.scanner|angryip|netdiscover)`), 80,
            if(
              re.regex($e.target.process.command_line, `(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)`), 70, 75
            )
          )
        )
      )
    )
    $hostname = $e.principal.hostname
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $username = $e.principal.user.userid

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM process launch events from Windows endpoints (via Sysmon or EDR forwarders) Chronicle Windows Event Log parser (EventID 4688) Chronicle Sysmon parser (EventID 1) Chronicle Linux audit process events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH target.process.* UDM fields principal.process.* UDM fields

False Positives

Authorized penetration testing or red team operations — add exclusion for known scanner host principal.hostname values or scanner service account principal.user.userid
Lansweeper, Nessus, or similar network management platforms running on dedicated scanner hosts under service accounts with predictable command-line patterns
System administrators using nltest for legitimate DC discovery, domain trust enumeration during AD migrations, or routine directory health checks
DNS operations teams running dig with AXFR against internal authoritative name servers as part of zone health monitoring or replication validation
Security tooling in managed SOC environments that invokes nmap or masscan as part of automated asset discovery pipelines on scheduled intervals

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass\.exe|theharvester|lansweeper\.exe|netdiscover|angryip|advanced_port_scanner\.exe|nltest\.exe|nslookup\.exe|dig\.exe)/
  OR CommandLine = /(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass|theharvester|lansweeper|netdiscover|angryip|advanced.port.scanner|axfr|zone-transfer|zone\s+transfer|-t\s+any|\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)/
| case {
    CommandLine = /(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan)/ |
      ReconCategory := "PortHostScanning" | SuspicionScore := 90 ;
    CommandLine = /(?i)(dnsrecon|dnsenum|fierce|axfr|zone-transfer|zone.transfer)/ |
      ReconCategory := "DNSEnumeration" | SuspicionScore := 85 ;
    CommandLine = /(?i)(lansweeper|advanced.port.scanner|angryip|netdiscover|advanced_port_scanner)/ |
      ReconCategory := "NetworkDiscoveryTool" | SuspicionScore := 80 ;
    CommandLine = /(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)/ AND FileName = /(?i)nltest/ |
      ReconCategory := "DomainTrustEnumeration" | SuspicionScore := 70 ;
    FileName = /(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|lansweeper\.exe|dnsrecon|fierce|dnsenum)/ |
      ReconCategory := "KnownReconBinary" | SuspicionScore := 75 ;
    * | ReconCategory := "GeneralNetworkRecon" | SuspicionScore := 50 ;
  }
| where SuspicionScore > 50
| ParentBaseFileName := splitString(ParentCommandLine, "\\")[-1]
| table([timestamp, ComputerName, UserName, FileName, FilePath, CommandLine, ParentBaseFileName, ParentCommandLine, ReconCategory, SuspicionScore])
| sort(field=SuspicionScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) CrowdStrike Falcon Data Replicator (FDR) process telemetry CrowdStrike Humio/LogScale endpoint repository

Required Tables

ProcessRollup2 (#event_simpleName) Falcon endpoint process telemetry repository

False Positives

Authorized red team or penetration testing engagements — scope exclusion by ComputerName for known tester workstations or by UserName for red team service accounts
Network management solutions (Lansweeper, PDQ Inventory, SolarWinds) executing scheduled network scans under documented service accounts from dedicated scanner hosts
Active Directory administrators running nltest commands for routine domain controller discovery, trust relationship auditing, or Kerberos ticket validation during support escalations
Vulnerability management agents (Tenable, Rapid7, Qualys) spawning nmap subprocesses from their scan coordinator hosts on defined scanning schedules
Security engineering teams running dnsrecon or fierce in isolated lab or staging environments for detection rule validation and threat simulation exercises

Gather Victim Network Information

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Reconnaissance

Popular Detections