Detect Scan Databases in Microsoft Sentinel
Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and server banners. Services such as Shodan, Censys, FOFA, ZoomEye, BinaryEdge, and GreyNoise index the public internet and make this data queryable. Adversaries may use these resources to identify exposed services, vulnerable software versions, SSL/TLS certificate metadata, and network topology without ever sending a packet to the victim. APT41 has used the Chinese FOFA service for passive victim reconnaissance, and Volt Typhoon has used FOFA, Shodan, and Censys to identify exposed critical infrastructure. Because this technique occurs entirely outside the victim's network perimeter using third-party infrastructure, it generates no direct telemetry in victim SIEM or EDR systems. Detection must focus on: (1) endpoint detection of scan database CLI tools and Python API libraries executing on monitored hosts, (2) proxy/DNS telemetry showing internal hosts querying scan database APIs, and (3) downstream indicators — sudden scanning or exploitation attempts against assets discoverable in these databases.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.005 Scan Databases
- Canonical reference
- https://attack.mitre.org/techniques/T1596/005/
KQL Detection Query
let ScanDatabaseDomains = dynamic([
"api.shodan.io", "www.shodan.io", "shodan.io",
"search.censys.io", "censys.io",
"fofa.info", "en.fofa.info", "fofa.su",
"api.zoomeye.org", "zoomeye.org",
"app.binaryedge.io", "api.binaryedge.io", "binaryedge.io",
"api.greynoise.io", "viz.greynoise.io", "greynoise.io",
"api.onyphe.io", "onyphe.io",
"leakix.net", "fullhunt.io", "netlas.io"
]);
let ScanDBToolKeywords = dynamic([
"shodan", "censys", "fofa", "zoomeye",
"binaryedge", "greynoise", "onyphe", "netlas"
]);
// Branch 1: CLI tool or Python library execution on managed endpoints
let CLIToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ScanDBToolKeywords)
or ProcessCommandLine has_any (ScanDBToolKeywords)
| extend DetectionBranch = "ScanDB_CLI_Or_API_Execution"
| extend RiskIndicator = case(
ProcessCommandLine has "shodan", "Shodan CLI/API",
ProcessCommandLine has "censys", "Censys CLI/API",
ProcessCommandLine has "fofa", "FOFA API",
ProcessCommandLine has "zoomeye", "ZoomEye API",
ProcessCommandLine has "binaryedge", "BinaryEdge API",
ProcessCommandLine has "greynoise", "GreyNoise API",
FileName has_any (ScanDBToolKeywords), "ScanDB binary execution",
"Unknown scan database tool")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, RiskIndicator;
// Branch 2: Network connections from managed endpoints to scan database API endpoints
let NetworkAPIAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ScanDatabaseDomains)
| extend DetectionBranch = "ScanDB_API_Network_Access"
| extend RiskIndicator = case(
RemoteUrl has "shodan", "Shodan API HTTP call",
RemoteUrl has "censys", "Censys API HTTP call",
RemoteUrl has "fofa", "FOFA API HTTP call",
RemoteUrl has "zoomeye", "ZoomEye API HTTP call",
RemoteUrl has "binaryedge", "BinaryEdge API HTTP call",
RemoteUrl has "greynoise", "GreyNoise API HTTP call",
"Scan database domain access")
| project Timestamp, DeviceName,
AccountName = InitiatingProcessAccountName,
FileName = InitiatingProcessFileName,
ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
DetectionBranch, RiskIndicator;
// Branch 3: DNS resolution of scan database domains (infrastructure-level DNS logging)
let DNSResolution = DnsEvents
| where TimeGenerated > ago(24h)
| where Name has_any (ScanDatabaseDomains)
| extend DetectionBranch = "ScanDB_DNS_Resolution"
| extend RiskIndicator = strcat("DNS query to ", Name)
| project Timestamp = TimeGenerated, DeviceName = Computer,
AccountName = "", FileName = "", ProcessCommandLine = "",
InitiatingProcessFileName = "", InitiatingProcessCommandLine = "",
DetectionBranch, RiskIndicator;
// Combine all branches
union CLIToolExecution, NetworkAPIAccess, DNSResolution
| sort by Timestamp descDetects use of public scan database tools and services (Shodan, Censys, FOFA, ZoomEye, BinaryEdge, GreyNoise) across three detection branches: (1) process execution of CLI tools or Python API libraries on managed endpoints using DeviceProcessEvents keyword matching, (2) outbound HTTP/HTTPS connections to scan database API endpoints captured in DeviceNetworkEvents RemoteUrl field, and (3) DNS resolution of scan database domains via infrastructure-level DnsEvents. Branch 1 and 2 are most reliable for detecting internal red team activity, insider reconnaissance, or attacker tools on a compromised host. Branch 3 provides network-layer visibility across all hosts including unmanaged devices.
Data Sources
Required Tables
False Positives & Tuning
- Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface
- Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
- Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment
- Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization
- Bug bounty hunters or security researchers operating from organization-issued devices with permission to perform reconnaissance
Other platforms for T1596.005
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Shodan CLI Host Lookup
Expected signal: Sysmon Event ID 1: Process Create events for 'pip' and 'shodan' with CommandLine showing 'shodan host 8.8.8.8'. Sysmon Event ID 22: DNS query to api.shodan.io from the shodan process. Sysmon Event ID 3: TCP connection to api.shodan.io:443. Shell history entry for the command. Python package installation may generate additional file creation events in site-packages.
- Test 2Censys CLI Search for Organization Certificates
Expected signal: Sysmon Event ID 1: Process Create for 'censys' binary with CommandLine showing the search query. Sysmon Event ID 22: DNS query to search.censys.io. Sysmon Event ID 3: HTTPS connection to search.censys.io:443. Python site-packages directory modified (file creation events for censys package files). Config file created at ~/.config/censys/censys.cfg.
- Test 3Shodan API Query via Python Script
Expected signal: Sysmon Event ID 1: Process Create for python3 with multi-line script CommandLine containing 'shodan' and 'api.search'. Sysmon Event ID 22: DNS query to api.shodan.io from python3 process. Sysmon Event ID 3: HTTPS connection from python3 to api.shodan.io:443. Python process parent will typically be bash or the calling shell.
- Test 4GreyNoise Context Lookup via curl
Expected signal: Sysmon Event ID 1: Process Create for 'curl' with CommandLine containing 'api.greynoise.io'. Sysmon Event ID 22: DNS query to api.greynoise.io. Sysmon Event ID 3: TCP connection to api.greynoise.io:443. Additional process creation for python3 (json.tool). Shell history entry.
References (9)
- https://attack.mitre.org/techniques/T1596/005/
- https://shodan.io
- https://search.censys.io
- https://fofa.info
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1596.005/T1596.005.md
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits
- https://learn.microsoft.com/en-us/azure/sentinel/dns-connector
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1596.005 including response playbook, investigation guide, and atomic red team tests.