T1596.005 Scan Databases Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ScanDatabaseDomains = dynamic([
    "api.shodan.io", "www.shodan.io", "shodan.io",
    "search.censys.io", "censys.io",
    "fofa.info", "en.fofa.info", "fofa.su",
    "api.zoomeye.org", "zoomeye.org",
    "app.binaryedge.io", "api.binaryedge.io", "binaryedge.io",
    "api.greynoise.io", "viz.greynoise.io", "greynoise.io",
    "api.onyphe.io", "onyphe.io",
    "leakix.net", "fullhunt.io", "netlas.io"
]);
let ScanDBToolKeywords = dynamic([
    "shodan", "censys", "fofa", "zoomeye",
    "binaryedge", "greynoise", "onyphe", "netlas"
]);
// Branch 1: CLI tool or Python library execution on managed endpoints
let CLIToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanDBToolKeywords)
    or ProcessCommandLine has_any (ScanDBToolKeywords)
| extend DetectionBranch = "ScanDB_CLI_Or_API_Execution"
| extend RiskIndicator = case(
    ProcessCommandLine has "shodan", "Shodan CLI/API",
    ProcessCommandLine has "censys", "Censys CLI/API",
    ProcessCommandLine has "fofa", "FOFA API",
    ProcessCommandLine has "zoomeye", "ZoomEye API",
    ProcessCommandLine has "binaryedge", "BinaryEdge API",
    ProcessCommandLine has "greynoise", "GreyNoise API",
    FileName has_any (ScanDBToolKeywords), "ScanDB binary execution",
    "Unknown scan database tool")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
// Branch 2: Network connections from managed endpoints to scan database API endpoints
let NetworkAPIAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ScanDatabaseDomains)
| extend DetectionBranch = "ScanDB_API_Network_Access"
| extend RiskIndicator = case(
    RemoteUrl has "shodan", "Shodan API HTTP call",
    RemoteUrl has "censys", "Censys API HTTP call",
    RemoteUrl has "fofa", "FOFA API HTTP call",
    RemoteUrl has "zoomeye", "ZoomEye API HTTP call",
    RemoteUrl has "binaryedge", "BinaryEdge API HTTP call",
    RemoteUrl has "greynoise", "GreyNoise API HTTP call",
    "Scan database domain access")
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          DetectionBranch, RiskIndicator;
// Branch 3: DNS resolution of scan database domains (infrastructure-level DNS logging)
let DNSResolution = DnsEvents
| where TimeGenerated > ago(24h)
| where Name has_any (ScanDatabaseDomains)
| extend DetectionBranch = "ScanDB_DNS_Resolution"
| extend RiskIndicator = strcat("DNS query to ", Name)
| project Timestamp = TimeGenerated, DeviceName = Computer,
          AccountName = "", FileName = "", ProcessCommandLine = "",
          InitiatingProcessFileName = "", InitiatingProcessCommandLine = "",
          DetectionBranch, RiskIndicator;
// Combine all branches
union CLIToolExecution, NetworkAPIAccess, DNSResolution
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow DNS: DNS Query Resolution Microsoft Defender for Endpoint Azure DNS Analytics

Required Tables

DeviceProcessEvents DeviceNetworkEvents DnsEvents

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization
Bug bounty hunters or security researchers operating from organization-issued devices with permission to perform reconnaissance

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval _branch="unknown"
| eval _tool="unknown"
(
  EventCode=1
  (
    (Image="*\\shodan*" OR CommandLine="*shodan*")
    OR (Image="*\\censys*" OR CommandLine="*censys*")
    OR (CommandLine="*fofa*" OR CommandLine="*zoomeye*")
    OR (CommandLine="*binaryedge*" OR CommandLine="*greynoise*")
    OR (CommandLine="*onyphe*" OR CommandLine="*netlas*")
  )
  | eval _branch="ScanDB_CLI_Execution"
  | eval _tool=case(
      match(CommandLine, "shodan"), "Shodan",
      match(CommandLine, "censys"), "Censys",
      match(CommandLine, "fofa"), "FOFA",
      match(CommandLine, "zoomeye"), "ZoomEye",
      match(CommandLine, "binaryedge"), "BinaryEdge",
      match(CommandLine, "greynoise"), "GreyNoise",
      1=1, "Unknown ScanDB Tool")
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, _branch, _tool
)
OR
(
  EventCode=22
  (
    QueryName="*shodan.io*" OR QueryName="*censys.io*"
    OR QueryName="*fofa.info*" OR QueryName="*fofa.su*"
    OR QueryName="*zoomeye.org*" OR QueryName="*binaryedge.io*"
    OR QueryName="*greynoise.io*" OR QueryName="*onyphe.io*"
    OR QueryName="*leakix.net*" OR QueryName="*fullhunt.io*"
    OR QueryName="*netlas.io*"
  )
  | eval _branch="ScanDB_DNS_Query"
  | eval _tool=case(
      match(QueryName, "shodan"), "Shodan",
      match(QueryName, "censys"), "Censys",
      match(QueryName, "fofa"), "FOFA",
      match(QueryName, "zoomeye"), "ZoomEye",
      match(QueryName, "binaryedge"), "BinaryEdge",
      match(QueryName, "greynoise"), "GreyNoise",
      1=1, "Unknown ScanDB Service")
  | table _time, host, User, Image, QueryName, QueryResults, _branch, _tool
)
| eval SuspicionScore=case(
    _branch="ScanDB_CLI_Execution", 3,
    _branch="ScanDB_DNS_Query", 2,
    1=1, 1)
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: DNS Query Sysmon Event ID 1 Sysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows during alert investigations
SOAR platforms or Sentinel playbooks with Shodan/Censys integrations performing automated enrichment — these will appear as service account process events
Developers browsing Shodan or Censys via a web browser (EventCode=22 DNS queries from browser processes such as chrome.exe, msedge.exe are lower fidelity)
Security researchers and bug bounty participants operating from organization-managed endpoints with documented authorization

Elastic Security (EQL)

eql

// T1596.005 — Scan Databases
process where process.name : ("curl", "curl.exe", "python3", "python.exe", "wget")
  and process.command_line : (
    "*api.shodan.io*", "*search.censys.io*", "*fofa.info*",
    "*api.binaryedge.io*", "*leakix.net*", "*onyphe.io*"
  )

medium severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("destinationhostname") ILIKE '%api.shodan.io%' OR LOWER("destinationhostname") ILIKE '%search.censys.io%' OR LOWER("destinationhostname") ILIKE '%fofa.info%' OR LOWER("destinationhostname") ILIKE '%leakix.net%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("destinationhostname") ILIKE '%api.shodan.io%' OR LOWER("destinationhostname") ILIKE '%search.censys.io%' OR LOWER("destinationhostname") ILIKE '%fofa.info%' OR LOWER("destinationhostname") ILIKE '%leakix.net%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization

Google Chronicle / SecOps

yaral

rule t1596_005_scan_databases {
  meta:
    author = "df00tech"
    description = "Detects Scan Databases (T1596.005)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596.005"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.005 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.005 - OSINTTool";
    * => TechniqueLabel := "T1596.005 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization

Scan Databases

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections