T1590.006 Splunk · SPL

Detect Network Security Appliances in Splunk

Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. This reconnaissance may occur via active scanning techniques (port scanning, banner grabbing, ACK probes to identify stateful firewalls, SNMP enumeration), passive OSINT collection (Shodan/Censys searches, job posting analysis revealing security stack), or phishing for information. Volt Typhoon has been documented conducting this type of pre-compromise reconnaissance to identify network security measures before intrusion attempts against US critical infrastructure. Intelligence on security appliance types and versions enables adversaries to identify applicable CVEs, plan evasion strategies tailored to specific vendor implementations, and select appropriate tooling.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.006 Network Security Appliances
Canonical reference
https://attack.mitre.org/techniques/T1590/006/

SPL Detection Query

Splunk (SPL)
spl 
index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval IsScanTool=if(
    match(Image, "(\\\\nmap\.exe|\\\\masscan\.exe|\\\\zenmap\.exe|\\\\zmap\.exe|\\\\hping3?\.exe|\\\\unicornscan\.exe|\\\\openvas|\\\\nikto)") OR
    match(CommandLine, "(\bnmap\b|\bmasscan\b|\bzenmap\b|\bzmap\b|\bhping3?\b|\bunicornscan\b)"), 1, 0)
| eval IsFirewallFingerprint=if(
    match(CommandLine, "(\s-sa\s|--script\s+firewall|firewalk|--badsum|--script=firewall-bypass|--script=firewalk|--script\s+http-waf|--script=http-waf|--mtu\s+[0-9]|\s-f\s|--data-length|--ttl\s+[0-9])"), 1, 0)
| eval IsSNMPProbe=if(
    match(Image, "(snmpwalk|snmpget|snmpbulkwalk|onesixtyone|snmp-check)") OR
    match(CommandLine, "(snmpwalk|snmpget|snmpbulkwalk|onesixtyone|snmp-check)") OR
    (match(CommandLine, "snmp") AND match(CommandLine, "(community|public|private|-c\s|-v2c|-v1\s)")), 1, 0)
| eval IsVersionScan=if(
    match(CommandLine, "(-sv\s|--version-intensity|--script=banner|--script\s+banner|--script=ssl-cert)") AND
    match(CommandLine, "(443|8443|4443|3978|8080|3128|18190|18191|541|257)"), 1, 0)
| eval RiskScore=IsScanTool + IsFirewallFingerprint + IsSNMPProbe + IsVersionScan
| where RiskScore > 0
| eval RiskIndicators=mvappend(
    if(IsScanTool=1, "scanning_tool_execution", null()),
    if(IsFirewallFingerprint=1, "firewall_fingerprint_args", null()),
    if(IsSNMPProbe=1, "snmp_appliance_enumeration", null()),
    if(IsVersionScan=1, "service_version_scan_mgmt_ports", null())
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RiskScore, RiskIndicators
| sort - RiskScore, - _time
medium severity low confidence

Detects network security appliance reconnaissance via Sysmon Event ID 1 (Process Creation). Evaluates four risk dimensions: (1) execution of known scanning tools (nmap, masscan, hping, zmap), (2) presence of explicit firewall fingerprinting arguments (-sA, firewalk, --badsum, WAF detection scripts), (3) SNMP enumeration targeting security appliance community strings (snmpwalk, onesixtyone), and (4) version scanning (-sV) specifically targeting known security appliance management ports. Cumulative risk scoring enables analyst prioritization — a RiskScore of 2+ indicates high-confidence reconnaissance activity.

Data Sources

Process: Process CreationSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized penetration testers or red team operators running network scans from corporate endpoints during sanctioned engagements
  • Network operations personnel using nmap for routine network discovery, asset documentation, and connectivity validation
  • SNMP management systems (Zabbix, PRTG, SolarWinds) polling security appliances for health and performance metrics
  • Security engineers testing firewall ACL changes by probing specific ports from authorized admin workstations
  • Vulnerability management agents (Qualys Cloud Agent, Tenable Nessus Agent) that spawn scanning processes locally
Download portable Sigma rule (.yml)

Other platforms for T1590.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Nmap Firewall ACK Scan with Fingerprinting Scripts

    Expected signal: auditd/Sysmon (Linux): Process creation for nmap with arguments '-sA -p 22,80,443,8080,8443,4443,3128 --script firewall-bypass,firewalk'. Network connections to 127.0.0.1 on specified ports. File creation event for /tmp/df00tech_ackscan.xml. The -sA flag and NSE script names are distinctive and uncommon in legitimate administrative use.

  2. Test 2SNMP Community String Brute Force Against Security Appliances

    Expected signal: Process creation events for onesixtyone (with -c flag pointing to community string list) and snmpwalk (with -v2c flag and explicit community strings 'public'/'private'). Multiple UDP connections to 127.0.0.1 port 161 in rapid succession. The community string list file creation at /tmp/df00tech_communities.txt is also detectable.

  3. Test 3Masscan Sweep of Security Appliance Management Port Ranges

    Expected signal: Process creation for masscan with -p flag listing vendor-specific management ports and --rate flag. Rapid outbound network connections to 127.0.0.1 on all 12 listed ports within seconds. JSON output file creation at /tmp/df00tech_masscan_mgmt.json. The specific combination of vendor management ports (not general port ranges) is the key distinguishing indicator.

  4. Test 4WAF Fingerprinting via HTTP Probe Requests

    Expected signal: Multiple process creation events for curl with distinct malicious-looking path arguments. Sequential requests to 127.0.0.1 covering SQLi, LFI, XSS, and path traversal payloads. On a real target, WAF access logs would show 403/406 responses with WAF-specific headers. The pattern of rapid sequential requests to /.env, /wp-admin/, /etc/passwd from same source IP is detectable at the WAF layer.

  5. Test 5Nmap Service Version Detection Against Security Appliance Ports

    Expected signal: Process creation for nmap with -sV, --script banner, --script ssl-cert, --script http-title arguments targeting vendor-specific management ports (3978 PAN-OS, 4443 Cisco ASA clientless VPN, 8880 FortiGate redirect, 10443 Cisco ASDM). Network connections to 127.0.0.1 on all listed ports. Output file creation at /tmp/df00tech_version_scan.txt.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1590.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP Addresses

Related Techniques

T1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1596.005Scan DatabasesT1598Phishing for InformationT1594Search Victim-Owned WebsitesT1593.001Social MediaT1590.005IP AddressesT1590.002DNST1133External Remote ServicesT1190Exploit Public-Facing Application

Same Tactic: Reconnaissance

Popular Detections