Detect Gather Victim Network Information in CrowdStrike LogScale
This detection identifies adversary reconnaissance activity targeting victim network information, including IP ranges, domain names, DNS records, network topology, and security appliance configurations. Because T1590 is a PRE-ATT&CK technique, direct detection within the victim environment is limited; however, second-order indicators are observable when adversaries deploy internal network enumeration tools post-compromise (as seen with Volt Typhoon, Indrik Spider, and HAFNIUM), attempt DNS zone transfers, execute WHOIS or DNS enumeration utilities, or run network discovery tools such as Lansweeper and Advanced IP Scanner. Detection focuses on process execution of known network reconnaissance binaries, DNS zone transfer attempts, and anomalous internal network topology queries that suggest an adversary mapping the environment for lateral movement or targeting.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Canonical reference
- https://attack.mitre.org/techniques/T1590/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass\.exe|theharvester|lansweeper\.exe|netdiscover|angryip|advanced_port_scanner\.exe|nltest\.exe|nslookup\.exe|dig\.exe)/
OR CommandLine = /(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass|theharvester|lansweeper|netdiscover|angryip|advanced.port.scanner|axfr|zone-transfer|zone\s+transfer|-t\s+any|\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)/
| case {
CommandLine = /(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan)/ |
ReconCategory := "PortHostScanning" | SuspicionScore := 90 ;
CommandLine = /(?i)(dnsrecon|dnsenum|fierce|axfr|zone-transfer|zone.transfer)/ |
ReconCategory := "DNSEnumeration" | SuspicionScore := 85 ;
CommandLine = /(?i)(lansweeper|advanced.port.scanner|angryip|netdiscover|advanced_port_scanner)/ |
ReconCategory := "NetworkDiscoveryTool" | SuspicionScore := 80 ;
CommandLine = /(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)/ AND FileName = /(?i)nltest/ |
ReconCategory := "DomainTrustEnumeration" | SuspicionScore := 70 ;
FileName = /(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|lansweeper\.exe|dnsrecon|fierce|dnsenum)/ |
ReconCategory := "KnownReconBinary" | SuspicionScore := 75 ;
* | ReconCategory := "GeneralNetworkRecon" | SuspicionScore := 50 ;
}
| where SuspicionScore > 50
| ParentBaseFileName := splitString(ParentCommandLine, "\\")[-1]
| table([timestamp, ComputerName, UserName, FileName, FilePath, CommandLine, ParentBaseFileName, ParentCommandLine, ReconCategory, SuspicionScore])
| sort(field=SuspicionScore, order=desc)CrowdStrike Falcon LogScale (CQL) query detecting network reconnaissance activity consistent with T1590 using ProcessRollup2 events from the Falcon sensor. Identifies known scanning binaries by FileName and CommandLine regex patterns, applies categorical classification for port/host scanning, DNS enumeration, network discovery tools, and domain trust enumeration, then scores findings by suspicion level for analyst triage. Aligns with KQL/SPL baseline categories for cross-platform consistency.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing engagements — scope exclusion by ComputerName for known tester workstations or by UserName for red team service accounts
- Network management solutions (Lansweeper, PDQ Inventory, SolarWinds) executing scheduled network scans under documented service accounts from dedicated scanner hosts
- Active Directory administrators running nltest commands for routine domain controller discovery, trust relationship auditing, or Kerberos ticket validation during support escalations
- Vulnerability management agents (Tenable, Rapid7, Qualys) spawning nmap subprocesses from their scan coordinator hosts on defined scanning schedules
- Security engineering teams running dnsrecon or fierce in isolated lab or staging environments for detection rule validation and threat simulation exercises
Other platforms for T1590
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Nmap Internal Subnet Port Scan
Expected signal: Sysmon EventCode 1 (process create) with Image=nmap.exe, CommandLine containing the subnet range. Sysmon EventCode 3 (network connect) showing connections from nmap.exe to multiple internal IPs on specified ports. DeviceProcessEvents and DeviceNetworkEvents telemetry in MDE.
- Test 2DNS Zone Transfer Attempt via nslookup
Expected signal: Sysmon EventCode 1 with Image=nslookup.exe, CommandLine containing 'AXFR' and the target domain. Windows DNS debug log (if enabled) will show an AXFR request from the client IP. DeviceProcessEvents in MDE captures the command line.
- Test 3Domain Trust Enumeration via nltest
Expected signal: Sysmon EventCode 1 (process create) for each nltest invocation with the respective flags in CommandLine. SecurityEvent EventID 4688 if process command line auditing is enabled via GPO. DeviceProcessEvents in MDE with full command line captured.
- Test 4Internal Network Discovery with Advanced IP Scanner
Expected signal: DeviceFileEvents showing advanced_ip_scanner.exe created in C:\Temp. Sysmon EventCode 11 (file create) for the binary. Process creation event for advanced_ip_scanner.exe. Network connection events to multiple internal IPs during scan. DeviceNetworkEvents in MDE showing mass internal connections.
References (5)
- https://attack.mitre.org/techniques/T1590/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
- https://www.secureworks.com/research/indrik-spider
Unlock Pro Content
Get the full detection package for T1590 including response playbook, investigation guide, and atomic red team tests.