Detect Vulnerability Scanning in IBM QRadar
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans check if target host and application configurations align with specific exploits the adversary seeks to use. These scans harvest running software and version numbers via server banners, listening ports, or other network artifacts. Threat groups including Sandworm Team, APT28, APT29, Magic Hound, Ember Bear, and APT41 have conducted large-scale vulnerability scanning operations against public-facing infrastructure, targeting specific CVEs such as Log4Shell, ProxyShell, and Citrix vulnerabilities. Information from these scans informs follow-on exploitation (T1190), capability development (T1587, T1588), and further reconnaissance operations.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1595 Active Scanning
- Sub-technique
- T1595.002 Vulnerability Scanning
- Canonical reference
- https://attack.mitre.org/techniques/T1595/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
LOGSOURCENAME(logsourceid) AS "LogSource",
LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
"username", "sourceip", "destinationip",
"eventid", "deviceaction", "message",
CASE
WHEN LOWER("useragent") ILIKE '%nessus%' OR LOWER("useragent") ILIKE '%qualys%' OR LOWER("useragent") ILIKE '%openvas%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("useragent") ILIKE '%nikto%' THEN 8
ELSE 4
END AS "RiskScore"
FROM events
WHERE (LOWER("useragent") ILIKE '%nessus%' OR LOWER("useragent") ILIKE '%qualys%' OR LOWER("useragent") ILIKE '%openvas%' OR LOWER("useragent") ILIKE '%nuclei%' OR LOWER("useragent") ILIKE '%nikto%')
AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
ORDER BY "RiskScore" DESC, "EventTime" DESC
LAST 24 HOURSQRadar AQL detection for Vulnerability Scanning (T1595.002). SQL-like syntax queries the QRadar events store, correlating log source telemetry with risk scoring to surface reconnaissance and attack patterns. Filters out noise from internal SIM and rule engine log sources.
Data Sources
Required Tables
False Positives & Tuning
- Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
- Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
- Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
- Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges
Other platforms for T1595.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Nmap Service and Version Detection Scan
Expected signal: Linux auditd EXECVE record for nmap binary with full argument list. Sysmon for Linux Event ID 1 (Process Create) if deployed: Image=/usr/bin/nmap, CommandLine containing '-sV --script vuln'. Network connections (Sysmon Event ID 3 or auditd SOCKADDR/CONNECT records) to 127.0.0.1 on each target port. File creation event for /tmp/nmap_vuln_scan.xml (Sysmon Event ID 11).
- Test 2Nikto Web Application Vulnerability Scan
Expected signal: Process creation event for nikto Perl script (via perl interpreter): parent process shell, child perl with nikto script path. Web server access logs (if web server running) showing User-Agent 'Nikto/x.y.z' with sequential GET requests to vulnerability probe paths (/.env, /phpmyadmin, /wp-login.php, /cgi-bin/test-cgi). Network connection events to localhost:80.
- Test 3Masscan High-Speed Port Discovery
Expected signal: Process creation event: Image=/usr/bin/masscan or /usr/local/bin/masscan, CommandLine containing '--rate' and port list. Raw socket network activity (may require auditd socket syscall monitoring). JSON output file creation at /tmp/masscan_results.json. If monitoring is enabled: high-rate SYN packet flood visible in network flow data.
- Test 4Nuclei CVE Template Vulnerability Scan
Expected signal: Process creation: Image=nuclei or /home/user/go/bin/nuclei, CommandLine containing '-t cves' or '-tags cve' and '-severity critical'. HTTP requests to target with nuclei-specific User-Agent (nuclei - open-source project) in web server logs. File creation for /tmp/nuclei_findings.txt. Network connections to localhost:80 with probe paths matching CVE-specific templates (e.g., /.env, /actuator/env for Spring4Shell, JNDI strings for Log4Shell).
References (12)
- https://attack.mitre.org/techniques/T1595/002/
- https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.trendmicro.com/en_us/research/19/j/pawn-storm-use-of-vulnerability-scans.html
- https://www.crowdstrike.com/blog/aquatic-panda-targets-use-of-log4shell-exploit/
- https://www.sentinelone.com/labs/winter-vivern-all-we-need-is-one-click/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://nmap.org/book/man-version-detection.html
- https://github.com/projectdiscovery/nuclei
- https://github.com/sullo/nikto
- https://github.com/robertdavidgraham/masscan
Unlock Pro Content
Get the full detection package for T1595.002 including response playbook, investigation guide, and atomic red team tests.