SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations
Edit

Reconnaissance (TA0043)

Sub-technique: T1595.001 - Scanning IP Blocks

Objective: Detect network scanning activities indicative of reconnaissance.

  1. Detect Multiple Ports Scanned from a Single IP

DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize port_count = count() by RemoteIP, LocalPort, bin(TimeGenerated, 1h)
| where port_count > 20
| project TimeGenerated, RemoteIP, LocalPort, port_count
| order by port_count desc

Purpose: Identify IP addresses scanning multiple ports.

  1. Identify Rapid Scanning Behaviour

DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize time_diff = min(TimeGenerated), event_count = count() by RemoteIP, LocalPort, LocalIP
| where event_count > 50
| project time_diff, RemoteIP, LocalPort,LocalIP, event_count
| order by event_count desc

Purpose: Detect scanning activity that occurs in a short time span.

  1. Suspicious Network Scanning Patterns

Purpose: Detect scanning on commonly targeted ports.

  1. Identify Outbound Port Scanning

Purpose: Detect known scanning tools like Nmap.

  1. Multiple Failed Connection Attempts

Purpose: Identify failed connections that could indicate scanning.

  1. Identify ICMP Echo Requests (Ping Sweeps)

Purpose: Detect ICMP ping sweeps across multiple IP addresses.

  1. Scan for SMB Shares

Purpose: Identify scanning activity targeting SMB shares.

  1. HTTP GET Request Flooding

Purpose: Detect flooding of HTTP GET requests from a single IP.

  1. Identify DNS Query Flooding

Purpose: Detect excessive DNS queries that may indicate scanning.

  1. Detecting high Numbers of SYN Packets

Purpose: Detect a high volume of SYN packets, which could indicate a SYN flood or scanning.

PreviousKQL Use CasesNextInitial Access (TA0001)

Last updated