Detect Vulnerability Scanning in Splunk
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans check if target host and application configurations align with specific exploits the adversary seeks to use. These scans harvest running software and version numbers via server banners, listening ports, or other network artifacts. Threat groups including Sandworm Team, APT28, APT29, Magic Hound, Ember Bear, and APT41 have conducted large-scale vulnerability scanning operations against public-facing infrastructure, targeting specific CVEs such as Log4Shell, ProxyShell, and Citrix vulnerabilities. Information from these scans informs follow-on exploitation (T1190), capability development (T1587, T1588), and further reconnaissance operations.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1595 Active Scanning
- Sub-technique
- T1595.002 Vulnerability Scanning
- Canonical reference
- https://attack.mitre.org/techniques/T1595/002/
SPL Detection Query
| union
[
search index=ids sourcetype IN ("suricata", "snort", "bro:notice", "zeek:notice")
("SCAN" OR "PROBE" OR "Nessus" OR "Qualys" OR "OpenVAS" OR "Nikto"
OR "Acunetix" OR "sqlmap" OR "Masscan" OR "Nuclei" OR "gobuster"
OR "WPScan" OR "dirb" OR "wfuzz" OR "nmap" OR "rustscan" OR "zgrab")
| eval detection_branch="IDS_Alert"
| eval src_display=coalesce(src_ip, src)
| eval sig_display=coalesce(signature, alert.signature, rule_name, category, "-")
| eval dest_display=coalesce(dest_ip, dest)
| eval port_display=coalesce(dest_port, 0)
| stats
count as alert_count,
dc(dest_display) as unique_targets,
dc(sig_display) as unique_signatures,
values(sig_display) as signatures,
values(port_display) as dest_ports,
min(_time) as first_seen,
max(_time) as last_seen
by src_display, detection_branch
| where alert_count >= 3
| eval scan_intensity=case(
alert_count >= 200, "Critical",
alert_count >= 50, "High",
alert_count >= 10, "Medium",
true(), "Low")
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\nmap.exe" OR Image="*\\masscan.exe" OR Image="*\\nikto*"
OR Image="*\\nuclei.exe" OR Image="*\\sqlmap*" OR Image="*\\gobuster.exe"
OR Image="*\\wpscan*" OR Image="*\\ffuf.exe" OR Image="*\\feroxbuster.exe"
OR Image="*\\rustscan.exe" OR Image="*\\dirb*" OR Image="*\\wfuzz*"
OR CommandLine="*--script vuln*" OR CommandLine="*-p 1-65535*"
OR CommandLine="*masscan --rate*" OR CommandLine="*nuclei -t cves*"
OR CommandLine="*nikto -h*" OR CommandLine="*gobuster dir*"
OR CommandLine="*ffuf -w*" OR CommandLine="*--top-ports*")
| eval detection_branch="InternalScanner"
| eval src_display=host
| eval sig_display=Image
| eval unique_targets=1
| eval scan_intensity="Medium"
| stats
count as alert_count,
dc(host) as unique_targets,
dc(sig_display) as unique_signatures,
values(sig_display) as signatures,
values(CommandLine) as dest_ports,
min(_time) as first_seen,
max(_time) as last_seen
by src_display, detection_branch, User
| eval duration_minutes=round((last_seen - first_seen) / 60, 1)
]
| table first_seen, last_seen, duration_minutes, src_display, scan_intensity,
alert_count, unique_targets, unique_signatures, signatures,
dest_ports, detection_branch
| sort - alert_countDetects vulnerability scanning activity through two branches unioned into a single result set. Branch 1 searches IDS/IPS sourcetypes (Suricata, Snort, Zeek/Bro notices) for known scanner tool signatures and scan category events, aggregating alerts by source IP with a ScanIntensity tier. Branch 2 searches Sysmon Event ID 1 (Process Creation) for known vulnerability scanning executable names and command-line patterns on Windows endpoints, covering nmap, masscan, nikto, nuclei, sqlmap, gobuster, ffuf, and feroxbuster among others. Both branches report unified fields for analyst triage: first/last seen, source, alert count, unique target count, detected signatures, and computed scan intensity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized vulnerability management scanners (Nessus, Qualys, InsightVM) running from documented internal IP ranges will generate high-volume IDS alerts matching scanner signatures
- Penetration testing tool execution on endpoints during approved engagements will fire on the Sysmon branch — correlate with change management windows
- Security engineering or DevSecOps teams running DAST tooling (OWASP ZAP, Burp Suite, nuclei) against pre-production application environments
- Cloud workload security agents or posture management platforms scanning internal assets will appear as authorized inbound scans from cloud provider CIDRs
- Network monitoring systems using active probing (SolarWinds, PRTG, Nagios with NRPE plugins) may generate port-probe patterns resembling scan activity
Other platforms for T1595.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Nmap Service and Version Detection Scan
Expected signal: Linux auditd EXECVE record for nmap binary with full argument list. Sysmon for Linux Event ID 1 (Process Create) if deployed: Image=/usr/bin/nmap, CommandLine containing '-sV --script vuln'. Network connections (Sysmon Event ID 3 or auditd SOCKADDR/CONNECT records) to 127.0.0.1 on each target port. File creation event for /tmp/nmap_vuln_scan.xml (Sysmon Event ID 11).
- Test 2Nikto Web Application Vulnerability Scan
Expected signal: Process creation event for nikto Perl script (via perl interpreter): parent process shell, child perl with nikto script path. Web server access logs (if web server running) showing User-Agent 'Nikto/x.y.z' with sequential GET requests to vulnerability probe paths (/.env, /phpmyadmin, /wp-login.php, /cgi-bin/test-cgi). Network connection events to localhost:80.
- Test 3Masscan High-Speed Port Discovery
Expected signal: Process creation event: Image=/usr/bin/masscan or /usr/local/bin/masscan, CommandLine containing '--rate' and port list. Raw socket network activity (may require auditd socket syscall monitoring). JSON output file creation at /tmp/masscan_results.json. If monitoring is enabled: high-rate SYN packet flood visible in network flow data.
- Test 4Nuclei CVE Template Vulnerability Scan
Expected signal: Process creation: Image=nuclei or /home/user/go/bin/nuclei, CommandLine containing '-t cves' or '-tags cve' and '-severity critical'. HTTP requests to target with nuclei-specific User-Agent (nuclei - open-source project) in web server logs. File creation for /tmp/nuclei_findings.txt. Network connections to localhost:80 with probe paths matching CVE-specific templates (e.g., /.env, /actuator/env for Spring4Shell, JNDI strings for Log4Shell).
References (12)
- https://attack.mitre.org/techniques/T1595/002/
- https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.trendmicro.com/en_us/research/19/j/pawn-storm-use-of-vulnerability-scans.html
- https://www.crowdstrike.com/blog/aquatic-panda-targets-use-of-log4shell-exploit/
- https://www.sentinelone.com/labs/winter-vivern-all-we-need-is-one-click/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-common-event-format
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://nmap.org/book/man-version-detection.html
- https://github.com/projectdiscovery/nuclei
- https://github.com/sullo/nikto
- https://github.com/robertdavidgraham/masscan
Unlock Pro Content
Get the full detection package for T1595.002 including response playbook, investigation guide, and atomic red team tests.