T1595.002 Microsoft Sentinel · KQL

Detect Vulnerability Scanning in Microsoft Sentinel

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans check if target host and application configurations align with specific exploits the adversary seeks to use. These scans harvest running software and version numbers via server banners, listening ports, or other network artifacts. Threat groups including Sandworm Team, APT28, APT29, Magic Hound, Ember Bear, and APT41 have conducted large-scale vulnerability scanning operations against public-facing infrastructure, targeting specific CVEs such as Log4Shell, ProxyShell, and Citrix vulnerabilities. Information from these scans informs follow-on exploitation (T1190), capability development (T1587, T1588), and further reconnaissance operations.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1595 Active Scanning
Sub-technique
T1595.002 Vulnerability Scanning
Canonical reference
https://attack.mitre.org/techniques/T1595/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1595.002 — Vulnerability Scanning
// Branch 1: IDS/IPS/WAF/Firewall detection of inbound vulnerability scanning
let ScanToolSignatures = dynamic([
    "Nessus", "Qualys", "OpenVAS", "Acunetix", "Nikto", "Masscan", "Nuclei",
    "sqlmap", "dirb", "gobuster", "WPScan", "w3af", "skipfish", "wfuzz",
    "Burp", "OWASP ZAP", "Metasploit", "Shodan", "Censys", "zgrab",
    "nmap", "rustscan", "feroxbuster", "dirbuster"
]);
let ScanEventCategories = dynamic([
    "scan", "probe", "reconnaissance", "vuln-scan", "port-scan",
    "web-scan", "vulnerability", "exploit-attempt", "policy-violation"
]);
let IDSScanAlerts =
    CommonSecurityLog
    | where TimeGenerated > ago(24h)
    | where Message has_any (ScanToolSignatures)
        or Activity has_any (ScanEventCategories)
        or DeviceEventCategory has_any (ScanEventCategories)
        or AdditionalExtensions has_any (ScanToolSignatures)
        or RequestURL has_any ([
            "/.env", "/.git/HEAD", "/wp-login.php", "/phpmyadmin",
            "/manager/html", "/actuator/env", "/actuator/health",
            "/cgi-bin/test-cgi", "/xmlrpc.php", "/server-status",
            "/../../../etc/passwd", "/api/swagger-ui.html"
        ])
    | summarize
        AlertCount = count(),
        UniqueTargets = dcount(DestinationIP),
        UniqueSignatures = dcount(Activity),
        Signatures = make_set(Activity, 15),
        TargetPorts = make_set(DestinationPort, 25),
        ProbeURLs = make_set(RequestURL, 10),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by SourceIP, DeviceVendor, DeviceProduct
    | where AlertCount >= 3
    | extend
        DetectionBranch = "IDS-WAF-Firewall",
        ScanIntensity = case(
            AlertCount >= 200, "Critical",
            AlertCount >= 50, "High",
            AlertCount >= 10, "Medium",
            "Low"),
        DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
    | project
        FirstSeen, LastSeen, DurationMinutes, SourceIP, ScanIntensity,
        AlertCount, UniqueTargets, UniqueSignatures, Signatures,
        TargetPorts, ProbeURLs, DeviceVendor, DeviceProduct, DetectionBranch;
// Branch 2: Internal endpoint executing known vulnerability scanning tools
// Detects pivot scanning, authorized scanner misuse, or compromised host scanning
let InternalScanExecution =
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName has_any (
            "nmap", "masscan", "nikto", "nuclei", "openvas", "nessus",
            "acunetix", "sqlmap", "gobuster", "dirb", "wpscan", "wfuzz",
            "ffuf", "feroxbuster", "skipfish", "rustscan", "zgrab")
        or ProcessCommandLine has_any (
            "--script vuln", "-sV --script", "--top-ports",
            "-p 1-65535", "masscan --rate", "nuclei -t cves",
            "nikto -h", "sqlmap -u", "gobuster dir -u",
            "ffuf -w", "wfuzz -c", "-A --open")
    | summarize
        AlertCount = count(),
        Commands = make_set(ProcessCommandLine, 5),
        Signatures = make_set(FileName, 10),
        FirstSeen = min(Timestamp),
        LastSeen = max(Timestamp),
        UniqueTargets = dcount(DeviceName)
        by AccountName, DeviceName, FileName
    | extend
        DetectionBranch = "InternalScannerExecution",
        ScanIntensity = "Medium",
        SourceIP = DeviceName,
        UniqueSignatures = array_length(Signatures),
        TargetPorts = dynamic([]),
        ProbeURLs = dynamic([]),
        DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen),
        DeviceVendor = "MicrosoftDefenderEndpoint",
        DeviceProduct = FileName
    | project
        FirstSeen, LastSeen, DurationMinutes, SourceIP, ScanIntensity,
        AlertCount, UniqueTargets, UniqueSignatures, Signatures,
        TargetPorts, ProbeURLs, DeviceVendor, DeviceProduct, DetectionBranch;
IDSScanAlerts
| union InternalScanExecution
| sort by AlertCount desc
medium severity medium confidence

Detects vulnerability scanning activity through two complementary branches. Branch 1 queries CommonSecurityLog (CEF-format events from IDS, IPS, WAF, and next-gen firewalls) for scanner tool name signatures, scan-category event classifications, and probes against well-known vulnerability paths such as /.env, /actuator/env, and /phpmyadmin. Alerts are aggregated by source IP with a computed ScanIntensity tier. Branch 2 queries DeviceProcessEvents to detect known vulnerability scanning tool executables (nmap, masscan, nikto, nuclei, sqlmap, gobuster, ffuf) launched on monitored endpoints — covering authorized scanner misuse, adversary pivot scanning from a compromised internal host, or red team activity. Results are unioned for a unified view across both detection surfaces.

Data Sources

Network Traffic: Network Traffic ContentNetwork Traffic: Network Traffic FlowApplication Log: Application Log ContentProcess: Process CreationCommonSecurityLog (IDS/IPS/WAF CEF via Syslog)Microsoft Defender for Endpoint DeviceProcessEvents

Required Tables

CommonSecurityLogDeviceProcessEvents

False Positives & Tuning

  • Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP
  • Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
  • Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management
  • Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges
  • Bug bounty platform scanners or contracted external assessments arriving from third-party IP ranges with change management approval documentation
Download portable Sigma rule (.yml)

Other platforms for T1595.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Nmap Service and Version Detection Scan

    Expected signal: Linux auditd EXECVE record for nmap binary with full argument list. Sysmon for Linux Event ID 1 (Process Create) if deployed: Image=/usr/bin/nmap, CommandLine containing '-sV --script vuln'. Network connections (Sysmon Event ID 3 or auditd SOCKADDR/CONNECT records) to 127.0.0.1 on each target port. File creation event for /tmp/nmap_vuln_scan.xml (Sysmon Event ID 11).

  2. Test 2Nikto Web Application Vulnerability Scan

    Expected signal: Process creation event for nikto Perl script (via perl interpreter): parent process shell, child perl with nikto script path. Web server access logs (if web server running) showing User-Agent 'Nikto/x.y.z' with sequential GET requests to vulnerability probe paths (/.env, /phpmyadmin, /wp-login.php, /cgi-bin/test-cgi). Network connection events to localhost:80.

  3. Test 3Masscan High-Speed Port Discovery

    Expected signal: Process creation event: Image=/usr/bin/masscan or /usr/local/bin/masscan, CommandLine containing '--rate' and port list. Raw socket network activity (may require auditd socket syscall monitoring). JSON output file creation at /tmp/masscan_results.json. If monitoring is enabled: high-rate SYN packet flood visible in network flow data.

  4. Test 4Nuclei CVE Template Vulnerability Scan

    Expected signal: Process creation: Image=nuclei or /home/user/go/bin/nuclei, CommandLine containing '-t cves' or '-tags cve' and '-severity critical'. HTTP requests to target with nuclei-specific User-Agent (nuclei - open-source project) in web server logs. File creation for /tmp/nuclei_findings.txt. Network connections to localhost:80 with probe paths matching CVE-specific templates (e.g., /.env, /actuator/env for Spring4Shell, JNDI strings for Log4Shell).

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1595.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1595Active Scanning

Related Sub-techniques

T1595.001Scanning IP BlocksT1595.003Wordlist Scanning

Related Techniques

T1595Active ScanningT1595.001Scanning IP BlocksT1592Gather Victim Host InformationT1592.002SoftwareT1590Gather Victim Network InformationT1190Exploit Public-Facing ApplicationT1588Obtain CapabilitiesT1587.001MalwareT1596Search Open Technical DatabasesT1046Network Service Discovery

Same Tactic: Reconnaissance

Popular Detections