Reconnaissance (TA0043)
Sub-technique: T1595.001 - Scanning IP Blocks
Objective: Detect network scanning activities indicative of reconnaissance.
Detect Multiple Ports Scanned from a Single IP
DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize port_count = count() by RemoteIP, LocalPort, bin(TimeGenerated, 1h)
| where port_count > 20
| project TimeGenerated, RemoteIP, LocalPort, port_count
| order by port_count descPurpose: Identify IP addresses scanning multiple ports.
Identify Rapid Scanning Behaviour
DeviceNetworkEvents
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize time_diff = min(TimeGenerated), event_count = count() by RemoteIP, LocalPort, LocalIP
| where event_count > 50
| project time_diff, RemoteIP, LocalPort,LocalIP, event_count
| order by event_count descPurpose: Detect scanning activity that occurs in a short time span.
Suspicious Network Scanning Patterns
DeviceNetworkEvents
| where LocalPort in (22, 23, 80, 443, 3389)
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 10
| project RemoteIP, LocalIP, event_count
| order by event_count descPurpose: Detect scanning on commonly targeted ports.
Identify Outbound Port Scanning
DeviceNetworkEvents
| where InitiatingProcessFileName == "nmap.exe"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| project TimeGenerated, DeviceName, RemoteIP, LocalPort, InitiatingProcessFileName
| order by TimeGenerated descPurpose: Detect known scanning tools like Nmap.
Multiple Failed Connection Attempts
DeviceNetworkEvents
| where ActionType == "ConnectionFailed"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 100
| project RemoteIP, LocalIP, event_count
| order by event_count descPurpose: Identify failed connections that could indicate scanning.
Identify ICMP Echo Requests (Ping Sweeps)
DeviceNetworkEvents
| where Protocol == "ICMP"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 50
| project RemoteIP, LocalIP, event_count
| order by event_count descPurpose: Detect ICMP ping sweeps across multiple IP addresses.
Scan for SMB Shares
DeviceNetworkEvents
| where LocalPort == 445
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 10
| project RemoteIP, LocalIP, event_count
| order by event_count descPurpose: Identify scanning activity targeting SMB shares.
HTTP GET Request Flooding
DeviceNetworkEvents
| where LocalPort == 80 and ActionType == "ConnectionSuccess"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP, LocalIP
| where event_count > 100
| project RemoteIP, LocalIP, event_count
| order by event_count descPurpose: Detect flooding of HTTP GET requests from a single IP.
Identify DNS Query Flooding
DeviceNetworkEvents
| where RemotePort == 53 and ActionType == "Query"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP
| where event_count > 200
| project RemoteIP, event_count
| order by event_count descPurpose: Detect excessive DNS queries that may indicate scanning.
Detecting high Numbers of SYN Packets
DeviceNetworkEvents
| where ActionType == "SYN"
| where RemoteIP !startswith "10." and RemoteIP !startswith "192.168." and RemoteIP !startswith "172.16."
| summarize event_count = count() by RemoteIP
| where event_count > 500
| project RemoteIP, event_count
| order by event_count descPurpose: Detect a high volume of SYN packets, which could indicate a SYN flood or scanning.
Last updated