Reconnaissance (TA0043)

Sub-technique: T1595.001 - Scanning IP Blocks

Objective: Detect network scanning activities indicative of reconnaissance.

Detect Multiple Ports Scanned from a Single IP

DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize port_count = count() by RemoteIP, LocalPort, bin(TimeGenerated, 1h)
| where port_count > 20
| project TimeGenerated, RemoteIP, LocalPort, port_count
| order by port_count desc

Purpose: Identify IP addresses scanning multiple ports.

Identify Rapid Scanning Behaviour

DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize time_diff = min(TimeGenerated), event_count = count() by RemoteIP, LocalPort, LocalIP
| where event_count > 50
| project time_diff, RemoteIP, LocalPort,LocalIP, event_count
| order by event_count desc

Purpose: Detect scanning activity that occurs in a short time span.

Suspicious Network Scanning Patterns

DeviceNetworkEvents
| where LocalPort in (22, 23, 80, 443, 3389)
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 10
| project RemoteIP, LocalIP, event_count
| order by event_count desc

Purpose: Detect scanning on commonly targeted ports.

Identify Outbound Port Scanning

DeviceNetworkEvents
| where InitiatingProcessFileName == "nmap.exe"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| project TimeGenerated, DeviceName, RemoteIP, LocalPort, InitiatingProcessFileName
| order by TimeGenerated desc

Purpose: Detect known scanning tools like Nmap.

Multiple Failed Connection Attempts

DeviceNetworkEvents
| where ActionType == "ConnectionFailed"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 100
| project RemoteIP, LocalIP, event_count
| order by event_count desc

Purpose: Identify failed connections that could indicate scanning.

Identify ICMP Echo Requests (Ping Sweeps)

DeviceNetworkEvents
| where Protocol == "ICMP"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 50
| project RemoteIP, LocalIP, event_count
| order by event_count desc

Purpose: Detect ICMP ping sweeps across multiple IP addresses.

Scan for SMB Shares

DeviceNetworkEvents
| where LocalPort == 445
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 10
| project RemoteIP, LocalIP, event_count
| order by event_count desc

Purpose: Identify scanning activity targeting SMB shares.

HTTP GET Request Flooding

DeviceNetworkEvents
| where LocalPort == 80 and ActionType == "ConnectionSuccess"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 100
| project RemoteIP, LocalIP, event_count
| order by event_count desc

Purpose: Detect flooding of HTTP GET requests from a single IP.

Identify DNS Query Flooding

DeviceNetworkEvents
| where RemotePort == 53 and ActionType == "Query"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP
| where event_count > 200
| project RemoteIP, event_count
| order by event_count desc

Purpose: Detect excessive DNS queries that may indicate scanning.

Detecting high Numbers of SYN Packets

DeviceNetworkEvents
| where ActionType == "SYN"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP
| where event_count > 500
| project RemoteIP, event_count
| order by event_count desc

Purpose: Detect a high volume of SYN packets, which could indicate a SYN flood or scanning.

PreviousKQL Use Cases NextInitial Access (TA0001)

Last updated 3 months ago

DeviceNetworkEvents | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | summarize port_count = count() by RemoteIP, LocalPort, bin(TimeGenerated, 1h) | where port_count > 20 | project TimeGenerated, RemoteIP, LocalPort, port_count | order by port_count desc

DeviceNetworkEvents | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | summarize time_diff = min(TimeGenerated), event_count = count() by RemoteIP, LocalPort, LocalIP | where event_count > 50 | project time_diff, RemoteIP, LocalPort,LocalIP, event_count | order by event_count desc

DeviceNetworkEvents | where InitiatingProcessFileName == "nmap.exe" | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | project TimeGenerated, DeviceName, RemoteIP, LocalPort, InitiatingProcessFileName | order by TimeGenerated desc

DeviceNetworkEvents | where ActionType == "ConnectionFailed" | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | summarize event_count = count() by RemoteIP, LocalIP | where event_count > 100 | project RemoteIP, LocalIP, event_count | order by event_count desc

DeviceNetworkEvents | where LocalPort == 80 and ActionType == "ConnectionSuccess" | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | summarize event_count = count() by RemoteIP, LocalIP | where event_count > 100 | project RemoteIP, LocalIP, event_count | order by event_count desc

DeviceNetworkEvents | where RemotePort == 53 and ActionType == "Query" | where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16." | summarize event_count = count() by RemoteIP | where event_count > 200 | project RemoteIP, event_count | order by event_count desc