T1596.005 CrowdStrike LogScale · LogScale

Detect Scan Databases in CrowdStrike LogScale

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and server banners. Services such as Shodan, Censys, FOFA, ZoomEye, BinaryEdge, and GreyNoise index the public internet and make this data queryable. Adversaries may use these resources to identify exposed services, vulnerable software versions, SSL/TLS certificate metadata, and network topology without ever sending a packet to the victim. APT41 has used the Chinese FOFA service for passive victim reconnaissance, and Volt Typhoon has used FOFA, Shodan, and Censys to identify exposed critical infrastructure. Because this technique occurs entirely outside the victim's network perimeter using third-party infrastructure, it generates no direct telemetry in victim SIEM or EDR systems. Detection must focus on: (1) endpoint detection of scan database CLI tools and Python API libraries executing on monitored hosts, (2) proxy/DNS telemetry showing internal hosts querying scan database APIs, and (3) downstream indicators — sudden scanning or exploitation attempts against assets discoverable in these databases.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Sub-technique
T1596.005 Scan Databases
Canonical reference
https://attack.mitre.org/techniques/T1596/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.005 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.005 - OSINTTool";
    * => TechniqueLabel := "T1596.005 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])
medium severity medium confidence

CrowdStrike LogScale (Falcon) CQL detection for Scan Databases (T1596.005). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

Data Sources

CrowdStrike FalconCrowdStrike LogScale

Required Tables

ProcessRollup2ProcessRollup2

False Positives & Tuning

  • Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
  • Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
  • Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
  • Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization
Download portable Sigma rule (.yml)

Other platforms for T1596.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Shodan CLI Host Lookup

    Expected signal: Sysmon Event ID 1: Process Create events for 'pip' and 'shodan' with CommandLine showing 'shodan host 8.8.8.8'. Sysmon Event ID 22: DNS query to api.shodan.io from the shodan process. Sysmon Event ID 3: TCP connection to api.shodan.io:443. Shell history entry for the command. Python package installation may generate additional file creation events in site-packages.

  2. Test 2Censys CLI Search for Organization Certificates

    Expected signal: Sysmon Event ID 1: Process Create for 'censys' binary with CommandLine showing the search query. Sysmon Event ID 22: DNS query to search.censys.io. Sysmon Event ID 3: HTTPS connection to search.censys.io:443. Python site-packages directory modified (file creation events for censys package files). Config file created at ~/.config/censys/censys.cfg.

  3. Test 3Shodan API Query via Python Script

    Expected signal: Sysmon Event ID 1: Process Create for python3 with multi-line script CommandLine containing 'shodan' and 'api.search'. Sysmon Event ID 22: DNS query to api.shodan.io from python3 process. Sysmon Event ID 3: HTTPS connection from python3 to api.shodan.io:443. Python process parent will typically be bash or the calling shell.

  4. Test 4GreyNoise Context Lookup via curl

    Expected signal: Sysmon Event ID 1: Process Create for 'curl' with CommandLine containing 'api.greynoise.io'. Sysmon Event ID 22: DNS query to api.greynoise.io. Sysmon Event ID 3: TCP connection to api.greynoise.io:443. Additional process creation for python3 (json.tool). Shell history entry.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1596.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1596Search Open Technical Databases

Related Sub-techniques

T1596.001DNS/Passive DNST1596.002WHOIST1596.003Digital CertificatesT1596.004CDNs

Related Techniques

T1596Search Open Technical DatabasesT1596.001DNS/Passive DNST1596.002WHOIST1596.003Digital CertificatesT1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1595.003Wordlist ScanningT1590.005IP AddressesT1590.002DNST1133External Remote ServicesT1190Exploit Public-Facing Application

Same Tactic: Reconnaissance

Popular Detections