Detect Network Security Appliances in Google Chronicle
Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. This reconnaissance may occur via active scanning techniques (port scanning, banner grabbing, ACK probes to identify stateful firewalls, SNMP enumeration), passive OSINT collection (Shodan/Censys searches, job posting analysis revealing security stack), or phishing for information. Volt Typhoon has been documented conducting this type of pre-compromise reconnaissance to identify network security measures before intrusion attempts against US critical infrastructure. Intelligence on security appliance types and versions enables adversaries to identify applicable CVEs, plan evasion strategies tailored to specific vendor implementations, and select appropriate tooling.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.006 Network Security Appliances
- Canonical reference
- https://attack.mitre.org/techniques/T1590/006/
YARA-L Detection Query
rule T1590_006_recon_tool {
meta:
author = "Detection Engineering"
description = "Detects execution of reconnaissance and OSINT tools"
severity = "medium"
confidence = "low"
mitre_attack = "T1590.006"
reference = "https://attack.mitre.org/techniques/T1590/006/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(nmap|masscan|nikto|theharvester|recon-ng|maltego|spiderfoot|dnsenum|arp-scan|zmap)`) or
re.regex($e.target.process.command_line, `(?i)(\-sV\s|\-O\s|\-sC\s|dnsenum|whois\s|hunter\.io|shodan)`)
)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Network Security Appliances. Detects network security appliance reconnaissance via two branches: (1) execution of known scanning/enumeration tools (nmap, masscan, zmap, snmpwalk, onesixtyone) on managed endpoints with firewall fi
Data Sources
Required Tables
False Positives & Tuning
- Authorized network security assessments conducted by the internal security team
- IT administrators performing network discovery for asset management
- Security compliance teams running authorized external attack surface scans
- Network monitoring platforms performing regular topology discovery
Other platforms for T1590.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Nmap Firewall ACK Scan with Fingerprinting Scripts
Expected signal: auditd/Sysmon (Linux): Process creation for nmap with arguments '-sA -p 22,80,443,8080,8443,4443,3128 --script firewall-bypass,firewalk'. Network connections to 127.0.0.1 on specified ports. File creation event for /tmp/df00tech_ackscan.xml. The -sA flag and NSE script names are distinctive and uncommon in legitimate administrative use.
- Test 2SNMP Community String Brute Force Against Security Appliances
Expected signal: Process creation events for onesixtyone (with -c flag pointing to community string list) and snmpwalk (with -v2c flag and explicit community strings 'public'/'private'). Multiple UDP connections to 127.0.0.1 port 161 in rapid succession. The community string list file creation at /tmp/df00tech_communities.txt is also detectable.
- Test 3Masscan Sweep of Security Appliance Management Port Ranges
Expected signal: Process creation for masscan with -p flag listing vendor-specific management ports and --rate flag. Rapid outbound network connections to 127.0.0.1 on all 12 listed ports within seconds. JSON output file creation at /tmp/df00tech_masscan_mgmt.json. The specific combination of vendor management ports (not general port ranges) is the key distinguishing indicator.
- Test 4WAF Fingerprinting via HTTP Probe Requests
Expected signal: Multiple process creation events for curl with distinct malicious-looking path arguments. Sequential requests to 127.0.0.1 covering SQLi, LFI, XSS, and path traversal payloads. On a real target, WAF access logs would show 403/406 responses with WAF-specific headers. The pattern of rapid sequential requests to /.env, /wp-admin/, /etc/passwd from same source IP is detectable at the WAF layer.
- Test 5Nmap Service Version Detection Against Security Appliance Ports
Expected signal: Process creation for nmap with -sV, --script banner, --script ssl-cert, --script http-title arguments targeting vendor-specific management ports (3978 PAN-OS, 4443 Cisco ASA clientless VPN, 8880 FortiGate redirect, 10443 Cisco ASDM). Network connections to 127.0.0.1 on all listed ports. Output file creation at /tmp/df00tech_version_scan.txt.
References (10)
- https://attack.mitre.org/techniques/T1590/006/
- https://nmap.org/book/firewalls.html
- https://www.cisa.gov/sites/default/files/2024-02/aa24-038a_csa_prc_sponsored_cyber_actors_compromise_us_critical_infrastructure_0.pdf
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://nmap.org/nsedoc/scripts/firewalk.html
- https://nmap.org/nsedoc/scripts/firewall-bypass.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.006/T1590.006.md
- https://www.shodan.io/search?query=panos
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1590.006 including response playbook, investigation guide, and atomic red team tests.