T1590.006 Microsoft Sentinel · KQL

Detect Network Security Appliances in Microsoft Sentinel

Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. This reconnaissance may occur via active scanning techniques (port scanning, banner grabbing, ACK probes to identify stateful firewalls, SNMP enumeration), passive OSINT collection (Shodan/Censys searches, job posting analysis revealing security stack), or phishing for information. Volt Typhoon has been documented conducting this type of pre-compromise reconnaissance to identify network security measures before intrusion attempts against US critical infrastructure. Intelligence on security appliance types and versions enables adversaries to identify applicable CVEs, plan evasion strategies tailored to specific vendor implementations, and select appropriate tooling.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.006 Network Security Appliances
Canonical reference
https://attack.mitre.org/techniques/T1590/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ApplianceMgmtPorts = dynamic([22, 23, 161, 162, 257, 443, 541, 830, 3128, 3978, 4443, 8080, 8443, 8880, 10443, 18190, 18191, 18210, 18211, 18264]);
let ScanningTools = dynamic(["nmap", "masscan", "zenmap", "zmap", "unicornscan", "hping3", "hping", "openvas", "nikto", "snmpwalk", "snmpget", "snmpbulkwalk", "onesixtyone", "snmp-check"]);
let FirewallFingerprintArgs = dynamic(["-sA", "--script firewall", "firewalk", "--script=firewall-bypass", "--badsum", "--data-length", "--ttl ", "--script=firewalk", "--script http-waf", "--script=http-waf-detect", "-f ", "--mtu "]);
// Branch 1: Detect security appliance scanning tools on managed endpoints
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanningTools)
    or ProcessCommandLine has_any (ScanningTools)
    or ProcessCommandLine has_any (FirewallFingerprintArgs)
| extend RiskIndicator = case(
    ProcessCommandLine has_any (FirewallFingerprintArgs), "Firewall Fingerprinting Arguments",
    ProcessCommandLine has_any (["snmpwalk", "snmpget", "snmpbulkwalk", "onesixtyone", "snmp-check"]) or (ProcessCommandLine has "snmp" and ProcessCommandLine has_any (["public", "private", "community", "-c ", "-v2c", "-v1"])), "SNMP Enumeration",
    FileName has_any (ScanningTools) or ProcessCommandLine has_any (ScanningTools), "Network Scanning Tool Execution",
    "Unknown"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskIndicator
| union (
  // Branch 2: Systematic probing of security appliance management ports from internal endpoints
  DeviceNetworkEvents
  | where Timestamp > ago(24h)
  | where RemotePort in (ApplianceMgmtPorts)
  | summarize DistinctMgmtPorts=dcount(RemotePort), PortsProbed=make_set(RemotePort), TargetIPs=dcount(RemoteIP), ConnectionCount=count() by DeviceName, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 30m)
  | where DistinctMgmtPorts >= 4 or ConnectionCount >= 15
  | extend RiskIndicator = "Multi-Port Sweep of Management Interfaces"
  | extend FileName = InitiatingProcessFileName
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine=strcat("Ports: ", tostring(PortsProbed), " | Targets: ", tostring(TargetIPs)), InitiatingProcessFileName, RiskIndicator
)
| sort by Timestamp desc
medium severity low confidence

Detects network security appliance reconnaissance via two branches: (1) execution of known scanning/enumeration tools (nmap, masscan, zmap, snmpwalk, onesixtyone) on managed endpoints with firewall fingerprinting arguments (-sA ACK scan, firewalk, --badsum, WAF detection scripts) or SNMP community string enumeration, and (2) systematic probing of 4 or more distinct security appliance management interface ports from a single endpoint within a 30-minute window. Management ports covered include Cisco ASA (4443, 10443), Palo Alto Networks (3978), Fortinet (541, 8443, 8880), Check Point (257, 18190-18264), SNMP (161/162), and standard SSH/HTTPS management ports.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • IT security teams conducting authorized vulnerability assessments or network audits using nmap or Nessus from designated scanning hosts
  • Network operations center personnel running SNMP queries (snmpwalk, snmpget) against security appliances for legitimate health monitoring and capacity planning
  • Automated vulnerability scanners (Qualys, Rapid7 InsightVM, Tenable) executing scheduled scans from approved scan sources that include management ports in their scope
  • Firewall administrators probing management interface connectivity after configuration changes or maintenance windows
  • Security engineers using nmap for network documentation and asset discovery during authorized change windows
Download portable Sigma rule (.yml)

Other platforms for T1590.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Nmap Firewall ACK Scan with Fingerprinting Scripts

    Expected signal: auditd/Sysmon (Linux): Process creation for nmap with arguments '-sA -p 22,80,443,8080,8443,4443,3128 --script firewall-bypass,firewalk'. Network connections to 127.0.0.1 on specified ports. File creation event for /tmp/df00tech_ackscan.xml. The -sA flag and NSE script names are distinctive and uncommon in legitimate administrative use.

  2. Test 2SNMP Community String Brute Force Against Security Appliances

    Expected signal: Process creation events for onesixtyone (with -c flag pointing to community string list) and snmpwalk (with -v2c flag and explicit community strings 'public'/'private'). Multiple UDP connections to 127.0.0.1 port 161 in rapid succession. The community string list file creation at /tmp/df00tech_communities.txt is also detectable.

  3. Test 3Masscan Sweep of Security Appliance Management Port Ranges

    Expected signal: Process creation for masscan with -p flag listing vendor-specific management ports and --rate flag. Rapid outbound network connections to 127.0.0.1 on all 12 listed ports within seconds. JSON output file creation at /tmp/df00tech_masscan_mgmt.json. The specific combination of vendor management ports (not general port ranges) is the key distinguishing indicator.

  4. Test 4WAF Fingerprinting via HTTP Probe Requests

    Expected signal: Multiple process creation events for curl with distinct malicious-looking path arguments. Sequential requests to 127.0.0.1 covering SQLi, LFI, XSS, and path traversal payloads. On a real target, WAF access logs would show 403/406 responses with WAF-specific headers. The pattern of rapid sequential requests to /.env, /wp-admin/, /etc/passwd from same source IP is detectable at the WAF layer.

  5. Test 5Nmap Service Version Detection Against Security Appliance Ports

    Expected signal: Process creation for nmap with -sV, --script banner, --script ssl-cert, --script http-title arguments targeting vendor-specific management ports (3978 PAN-OS, 4443 Cisco ASA clientless VPN, 8880 FortiGate redirect, 10443 Cisco ASDM). Network connections to 127.0.0.1 on all listed ports. Output file creation at /tmp/df00tech_version_scan.txt.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1590.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP Addresses

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1596.005Scan DatabasesT1598Phishing for InformationT1594Search Victim-Owned WebsitesT1593.001Social MediaT1590.005IP AddressesT1590.002DNST1133External Remote ServicesT1190Exploit Public-Facing Application

Same Tactic: Reconnaissance

Popular Detections