title: Network Security Appliances (T1590.006)
id: df00tech-t1590-006
status: experimental
description: "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. This reconnaissance may occur via active scanning techniques (port scanning, banner grabbing, ACK probes to identify stateful firewalls, SNMP enumeration), passive OSINT collection (Shodan/Censys searches, job posting analysis revealing security stack), or phishing for information. Volt Typhoon has been documented conducting this type of pre-compromise reconnaissance to identify network security measures before intrusion attempts against US critical infrastructure. Intelligence on security appliance types and versions enables adversaries to identify applicable CVEs, plan evasion strategies tailored to specific vendor implementations, and select appropriate tooling."
references:
  - https://attack.mitre.org/techniques/T1590/006/
  - https://df00tech.com/detections/T1590.006
author: df00tech
date: 2026/03/13
tags:
  - attack.t1590.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT security teams conducting authorized vulnerability assessments or network audits using nmap or Nessus from designated scanning hosts
  - "Network operations center personnel running SNMP queries (snmpwalk, snmpget) against security appliances for legitimate health monitoring and capacity planning"
  - "Automated vulnerability scanners (Qualys, Rapid7 InsightVM, Tenable) executing scheduled scans from approved scan sources that include management ports in their scope"
  - Firewall administrators probing management interface connectivity after configuration changes or maintenance windows
  - Security engineers using nmap for network documentation and asset discovery during authorized change windows
level: medium