T1595.002 Vulnerability Scanning Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1595.002 — Vulnerability Scanning
// Branch 1: IDS/IPS/WAF/Firewall detection of inbound vulnerability scanning
let ScanToolSignatures = dynamic([
    "Nessus", "Qualys", "OpenVAS", "Acunetix", "Nikto", "Masscan", "Nuclei",
    "sqlmap", "dirb", "gobuster", "WPScan", "w3af", "skipfish", "wfuzz",
    "Burp", "OWASP ZAP", "Metasploit", "Shodan", "Censys", "zgrab",
    "nmap", "rustscan", "feroxbuster", "dirbuster"
]);
let ScanEventCategories = dynamic([
    "scan", "probe", "reconnaissance", "vuln-scan", "port-scan",
    "web-scan", "vulnerability", "exploit-attempt", "policy-violation"
]);
let IDSScanAlerts =
    CommonSecurityLog
    | where TimeGenerated > ago(24h)
    | where Message has_any (ScanToolSignatures)
        or Activity has_any (ScanEventCategories)
        or DeviceEventCategory has_any (ScanEventCategories)
        or AdditionalExtensions has_any (ScanToolSignatures)
        or RequestURL has_any ([
            "/.env", "/.git/HEAD", "/wp-login.php", "/phpmyadmin",
            "/manager/html", "/actuator/env", "/actuator/health",
            "/cgi-bin/test-cgi", "/xmlrpc.php", "/server-status",
            "/../../../etc/passwd", "/api/swagger-ui.html"
        ])
    | summarize
        AlertCount = count(),
        UniqueTargets = dcount(DestinationIP),
        UniqueSignatures = dcount(Activity),
        Signatures = make_set(Activity, 15),
        TargetPorts = make_set(DestinationPort, 25),
        ProbeURLs = make_set(RequestURL, 10),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by SourceIP, DeviceVendor, DeviceProduct
    | where AlertCount >= 3
    | extend
        DetectionBranch = "IDS-WAF-Firewall",
        ScanIntensity = case(
            AlertCount >= 200, "Critical",
            AlertCount >= 50, "High",
            AlertCount >= 10, "Medium",
            "Low"),
        DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
    | project
        FirstSeen, LastSeen, DurationMinutes, SourceIP, ScanIntensity,
        AlertCount, UniqueTargets, UniqueSignatures, Signatures,
        TargetPorts, ProbeURLs, DeviceVendor, DeviceProduct, DetectionBranch;
// Branch 2: Internal endpoint executing known vulnerability scanning tools
// Detects pivot scanning, authorized scanner misuse, or compromised host scanning
let InternalScanExecution =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName has_any (
            "nmap", "masscan", "nikto", "nuclei", "openvas", "nessus",
            "acunetix", "sqlmap", "gobuster", "dirb", "wpscan", "wfuzz",
            "ffuf", "feroxbuster", "skipfish", "rustscan", "zgrab")
        or ProcessCommandLine has_any (
            "--script vuln", "-sV --script", "--top-ports",
            "-p 1-65535", "masscan --rate", "nuclei -t cves",
            "nikto -h", "sqlmap -u", "gobuster dir -u",
            "ffuf -w", "wfuzz -c", "-A --open")
    | summarize
        AlertCount = count(),
        Commands = make_set(ProcessCommandLine, 5),
        Signatures = make_set(FileName, 10),
        FirstSeen = min(Timestamp),
        LastSeen = max(Timestamp),
        UniqueTargets = dcount(DeviceName)
        by AccountName, DeviceName, FileName
    | extend
        DetectionBranch = "InternalScannerExecution",
        ScanIntensity = "Medium",
        SourceIP = DeviceName,
        UniqueSignatures = array_length(Signatures),
        TargetPorts = dynamic([]),
        ProbeURLs = dynamic([]),
        DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen),
        DeviceVendor = "MicrosoftDefenderEndpoint",
        DeviceProduct = FileName
    | project
        FirstSeen, LastSeen, DurationMinutes, SourceIP, ScanIntensity,
        AlertCount, UniqueTargets, UniqueSignatures, Signatures,
        TargetPorts, ProbeURLs, DeviceVendor, DeviceProduct, DetectionBranch;
IDSScanAlerts
| union InternalScanExecution
| sort by AlertCount desc

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content Process: Process Creation CommonSecurityLog (IDS/IPS/WAF CEF via Syslog) Microsoft Defender for Endpoint DeviceProcessEvents

Required Tables

CommonSecurityLog DeviceProcessEvents

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges
Bug bounty platform scanners or contracted external assessments arriving from third-party IP ranges with change management approval documentation

Splunk

spl

| union
[
  search index=ids sourcetype IN ("suricata", "snort", "bro:notice", "zeek:notice")
      ("SCAN" OR "PROBE" OR "Nessus" OR "Qualys" OR "OpenVAS" OR "Nikto"
       OR "Acunetix" OR "sqlmap" OR "Masscan" OR "Nuclei" OR "gobuster"
       OR "WPScan" OR "dirb" OR "wfuzz" OR "nmap" OR "rustscan" OR "zgrab")
  | eval detection_branch="IDS_Alert"
  | eval src_display=coalesce(src_ip, src)
  | eval sig_display=coalesce(signature, alert.signature, rule_name, category, "-")
  | eval dest_display=coalesce(dest_ip, dest)
  | eval port_display=coalesce(dest_port, 0)
  | stats
      count as alert_count,
      dc(dest_display) as unique_targets,
      dc(sig_display) as unique_signatures,
      values(sig_display) as signatures,
      values(port_display) as dest_ports,
      min(_time) as first_seen,
      max(_time) as last_seen
      by src_display, detection_branch
  | where alert_count >= 3
  | eval scan_intensity=case(
      alert_count >= 200, "Critical",
      alert_count >= 50, "High",
      alert_count >= 10, "Medium",
      true(), "Low")
  | eval duration_minutes=round((last_seen - first_seen) / 60, 1)
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\nikto*"
       OR Image="*\\nuclei.exe" OR Image="*\\sqlmap*" OR Image="*\\gobuster.exe"
       OR Image="*\\wpscan*" OR Image="*\\ffuf.exe" OR Image="*\\feroxbuster.exe"
       OR Image="*\\rustscan.exe" OR Image="*\\dirb*" OR Image="*\\wfuzz*"
       OR CommandLine="*--script vuln*" OR CommandLine="*-p 1-65535*"
       OR CommandLine="*masscan --rate*" OR CommandLine="*nuclei -t cves*"
       OR CommandLine="*nikto -h*" OR CommandLine="*gobuster dir*"
       OR CommandLine="*ffuf -w*" OR CommandLine="*--top-ports*")
  | eval detection_branch="InternalScanner"
  | eval src_display=host
  | eval sig_display=Image
  | eval unique_targets=1
  | eval scan_intensity="Medium"
  | stats
      count as alert_count,
      dc(host) as unique_targets,
      dc(sig_display) as unique_signatures,
      values(sig_display) as signatures,
      values(CommandLine) as dest_ports,
      min(_time) as first_seen,
      max(_time) as last_seen
      by src_display, detection_branch, User
  | eval duration_minutes=round((last_seen - first_seen) / 60, 1)
]
| table first_seen, last_seen, duration_minutes, src_display, scan_intensity,
         alert_count, unique_targets, unique_signatures, signatures,
         dest_ports, detection_branch
| sort - alert_count

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content IDS/IPS Alert Logs (Suricata, Snort, Zeek) Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

suricata snort bro:notice zeek:notice XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized vulnerability management scanners (Nessus, Qualys, InsightVM) running from documented internal IP ranges will generate high-volume IDS alerts matching scanner signatures
Penetration testing tool execution on endpoints during approved engagements will fire on the Sysmon branch — correlate with change management windows
Security engineering or DevSecOps teams running DAST tooling (OWASP ZAP, Burp Suite, nuclei) against pre-production application environments
Cloud workload security agents or posture management platforms scanning internal assets will appear as authorized inbound scans from cloud provider CIDRs
Network monitoring systems using active probing (SolarWinds, PRTG, Nagios with NRPE plugins) may generate port-probe patterns resembling scan activity

Elastic Security (EQL)

eql

// T1595.002 — Vulnerability Scanning
any where event.dataset : "network_traffic.flow"
  and user_agent.original : (
    "Nessus*", "OpenVAS*", "Qualys*", "Acunetix*", "Nikto*",
    "Nuclei*", "sqlmap*", "WPScan*", "Masscan*"
  )
  or (network.direction == "inbound"
  and destination.port in (80, 443, 8080, 8443, 22, 21, 3389, 445))

medium severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("useragent") ILIKE '%nessus%' OR LOWER("useragent") ILIKE '%qualys%' OR LOWER("useragent") ILIKE '%openvas%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("useragent") ILIKE '%nikto%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("useragent") ILIKE '%nessus%' OR LOWER("useragent") ILIKE '%qualys%' OR LOWER("useragent") ILIKE '%openvas%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("useragent") ILIKE '%nikto%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges

Google Chronicle / SecOps

yaral

rule t1595_002_vulnerability_scanning {
  meta:
    author = "df00tech"
    description = "Detects Vulnerability Scanning (T1595.002)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1595.002"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1595.002 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1595.002 - OSINTTool";
    * => TechniqueLabel := "T1595.002 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges

Vulnerability Scanning

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections