T1590.006 Network Security Appliances Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ApplianceMgmtPorts = dynamic([22, 23, 161, 162, 257, 443, 541, 830, 3128, 3978, 4443, 8080, 8443, 8880, 10443, 18190, 18191, 18210, 18211, 18264]);
let ScanningTools = dynamic(["nmap", "masscan", "zenmap", "zmap", "unicornscan", "hping3", "hping", "openvas", "nikto", "snmpwalk", "snmpget", "snmpbulkwalk", "onesixtyone", "snmp-check"]);
let FirewallFingerprintArgs = dynamic(["-sA", "--script firewall", "firewalk", "--script=firewall-bypass", "--badsum", "--data-length", "--ttl ", "--script=firewalk", "--script http-waf", "--script=http-waf-detect", "-f ", "--mtu "]);
// Branch 1: Detect security appliance scanning tools on managed endpoints
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanningTools)
    or ProcessCommandLine has_any (ScanningTools)
    or ProcessCommandLine has_any (FirewallFingerprintArgs)
| extend RiskIndicator = case(
    ProcessCommandLine has_any (FirewallFingerprintArgs), "Firewall Fingerprinting Arguments",
    ProcessCommandLine has_any (["snmpwalk", "snmpget", "snmpbulkwalk", "onesixtyone", "snmp-check"]) or (ProcessCommandLine has "snmp" and ProcessCommandLine has_any (["public", "private", "community", "-c ", "-v2c", "-v1"])), "SNMP Enumeration",
    FileName has_any (ScanningTools) or ProcessCommandLine has_any (ScanningTools), "Network Scanning Tool Execution",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskIndicator
| union (
  // Branch 2: Systematic probing of security appliance management ports from internal endpoints
  DeviceNetworkEvents
  | where Timestamp > ago(24h)
  | where RemotePort in (ApplianceMgmtPorts)
  | summarize DistinctMgmtPorts=dcount(RemotePort), PortsProbed=make_set(RemotePort), TargetIPs=dcount(RemoteIP), ConnectionCount=count() by DeviceName, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 30m)
  | where DistinctMgmtPorts >= 4 or ConnectionCount >= 15
  | extend RiskIndicator = "Multi-Port Sweep of Management Interfaces"
  | extend FileName = InitiatingProcessFileName
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine=strcat("Ports: ", tostring(PortsProbed), " | Targets: ", tostring(TargetIPs)), InitiatingProcessFileName, RiskIndicator
)
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT security teams conducting authorized vulnerability assessments or network audits using nmap or Nessus from designated scanning hosts
Network operations center personnel running SNMP queries (snmpwalk, snmpget) against security appliances for legitimate health monitoring and capacity planning
Automated vulnerability scanners (Qualys, Rapid7 InsightVM, Tenable) executing scheduled scans from approved scan sources that include management ports in their scope
Firewall administrators probing management interface connectivity after configuration changes or maintenance windows
Security engineers using nmap for network documentation and asset discovery during authorized change windows

Splunk

spl

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval IsScanTool=if(
    match(Image, "(\\\\nmap\.exe|\\\\masscan\.exe|\\\\zenmap\.exe|\\\\zmap\.exe|\\\\hping3?\.exe|\\\\unicornscan\.exe|\\\\openvas|\\\\nikto)") OR
    match(CommandLine, "(\bnmap\b|\bmasscan\b|\bzenmap\b|\bzmap\b|\bhping3?\b|\bunicornscan\b)"), 1, 0)
| eval IsFirewallFingerprint=if(
    match(CommandLine, "(\s-sa\s|--script\s+firewall|firewalk|--badsum|--script=firewall-bypass|--script=firewalk|--script\s+http-waf|--script=http-waf|--mtu\s+[0-9]|\s-f\s|--data-length|--ttl\s+[0-9])"), 1, 0)
| eval IsSNMPProbe=if(
    match(Image, "(snmpwalk|snmpget|snmpbulkwalk|onesixtyone|snmp-check)") OR
    match(CommandLine, "(snmpwalk|snmpget|snmpbulkwalk|onesixtyone|snmp-check)") OR
    (match(CommandLine, "snmp") AND match(CommandLine, "(community|public|private|-c\s|-v2c|-v1\s)")), 1, 0)
| eval IsVersionScan=if(
    match(CommandLine, "(-sv\s|--version-intensity|--script=banner|--script\s+banner|--script=ssl-cert)") AND
    match(CommandLine, "(443|8443|4443|3978|8080|3128|18190|18191|541|257)"), 1, 0)
| eval RiskScore=IsScanTool + IsFirewallFingerprint + IsSNMPProbe + IsVersionScan
| where RiskScore > 0
| eval RiskIndicators=mvappend(
    if(IsScanTool=1, "scanning_tool_execution", null()),
    if(IsFirewallFingerprint=1, "firewall_fingerprint_args", null()),
    if(IsSNMPProbe=1, "snmp_appliance_enumeration", null()),
    if(IsVersionScan=1, "service_version_scan_mgmt_ports", null())
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RiskScore, RiskIndicators
| sort - RiskScore, - _time

medium severity low confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized penetration testers or red team operators running network scans from corporate endpoints during sanctioned engagements
Network operations personnel using nmap for routine network discovery, asset documentation, and connectivity validation
SNMP management systems (Zabbix, PRTG, SolarWinds) polling security appliances for health and performance metrics
Security engineers testing firewall ACL changes by probing specific ports from authorized admin workstations
Vulnerability management agents (Qualys Cloud Agent, Tenable Nessus Agent) that spawn scanning processes locally

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : ("nmap", "masscan", "shodan", "nikto", "netdiscover", "arp-scan", "zmap")
  or process.command_line : ("*--script*firewall*", "*--script*snmp*", "*-sV*", "*-O *")

medium severity low confidence

Data Sources

Elastic Endpoint Security Process events Network events

Required Tables

logs-endpoint.events.process.* logs-endpoint.events.network.*

False Positives

Authorized network security assessments using commercial scanning tools
IT administrators performing legitimate network audits
Security teams running vulnerability scans against owned infrastructure
Network monitoring software performing regular topology discovery

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  CASE
    WHEN "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' THEN 80
    WHEN "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' THEN 75
    WHEN "Image" ILIKE '%recon-ng%' OR "Image" ILIKE '%maltego%' THEN 70
    WHEN "CommandLine" ILIKE '%whois%' OR "CommandLine" ILIKE '%dnsenum%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nmap%' THEN 'Network Scanner'
    WHEN "Image" ILIKE '%theharvester%' THEN 'OSINT Harvester'
    WHEN "Image" ILIKE '%maltego%' THEN 'Link Analysis Tool'
    ELSE 'Reconnaissance Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%nmap%' OR "Image" ILIKE '%masscan%' OR "Image" ILIKE '%nikto%'
    OR "Image" ILIKE '%shodan%' OR "Image" ILIKE '%theharvester%' OR "Image" ILIKE '%recon-ng%'
    OR "Image" ILIKE '%maltego%' OR "Image" ILIKE '%spiderfoot%' OR "CommandLine" ILIKE '%dnsenum%'
    OR "CommandLine" ILIKE '%whois %' OR "CommandLine" ILIKE '%-sV %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs Network flow data

Required Tables

events

False Positives

Authorized network security assessments and vulnerability scans
IT administrators performing legitimate network topology discovery
Security teams scanning owned infrastructure for compliance audits
Network monitoring software performing scheduled discovery scans

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval ImageLower = lower(Image)
| eval CmdLower = lower(CommandLine)
| where matches(ImageLower, "nmap|masscan|nikto|shodan|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap")
   or matches(CmdLower, "\-sV |\-O |\-sC |\-p\s+\d|dnsenum|whois |hunter\.io")
| eval ToolCategory = if(matches(ImageLower, "nmap|masscan|zmap"), "Port Scanner",
    if(matches(ImageLower, "theharvester|spiderfoot"), "OSINT Tool",
    if(matches(ImageLower, "nikto"), "Web Scanner", "Recon Tool")))
| eval RiskScore = if(ToolCategory = "Port Scanner", 75,
    if(ToolCategory = "OSINT Tool", 70, 60))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

medium severity low confidence

Data Sources

Sysmon Event ID 1 DNS logs

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized vulnerability scanning by internal security teams
Network monitoring tools performing scheduled topology discovery
IT administrators running network audits with scanning tools
Security teams conducting authorized external attack surface assessments

Google Chronicle / SecOps

yaral

rule T1590_006_recon_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of reconnaissance and OSINT tools"
    severity = "medium"
    confidence = "low"
    mitre_attack = "T1590.006"
    reference = "https://attack.mitre.org/techniques/T1590/006/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
      re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
    )

  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

PROCESS_LAUNCH DNS

False Positives

Authorized network security assessments conducted by the internal security team
IT administrators performing network discovery for asset management
Security compliance teams running authorized external attack surface scans
Network monitoring platforms performing regular topology discovery

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)/
  OR CommandLine = /(?i)(\-sV\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan|\-O\s)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(nmap|masscan|zmap)/ => ToolCategory := "Port Scanner"; RiskScore := "High";
    ImageFileName = /(?i)(theharvester|spiderfoot)/ => ToolCategory := "OSINT Harvester"; RiskScore := "Medium";
    ImageFileName = /(?i)(nikto)/ => ToolCategory := "Web Scanner"; RiskScore := "High";
    * => ToolCategory := "Recon Tool"; RiskScore := "Medium";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

medium severity low confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Authorized vulnerability scanning programs using commercial scanning platforms
IT administrators performing network discovery for asset inventory management
Security compliance teams running authorized external attack surface assessments
Network operations tools performing routine topology and connectivity discovery

Network Security Appliances

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections