Query Details
Nmap Reconnaissance Detection
Query
//This query detects potential active network reconnaissance attacks using Nmap //Monitors for command line usage of nmap tool DeviceProcessEvents | where Timestamp >= ago (30d) | where InitiatingProcessCommandLine contains "cmd" and ProcessCommandLine contains "nmap" | project InitiatingProcessCommandLine, ProcessCommandLine, DeviceName, AccountUpn, DeviceId, Timestamp, ReportId
Explanation
This query is designed to identify possible active network reconnaissance attacks by monitoring the use of the Nmap tool, which is often used for network scanning. Here's a simple breakdown of what the query does:
-
Data Source: It looks at events related to processes on devices (
DeviceProcessEvents). -
Time Frame: It focuses on events that occurred in the last 30 days.
-
Filter Criteria:
- It checks if the command line that started a process includes the word "cmd" (indicating the use of the command prompt).
- It also checks if the command line of the process itself includes "nmap" (indicating the use of the Nmap tool).
-
Output: For any events that match these criteria, it retrieves and displays the following details:
- The command line that initiated the process (
InitiatingProcessCommandLine). - The command line of the process itself (
ProcessCommandLine). - The name of the device where the event occurred (
DeviceName). - The user account associated with the event (
AccountUpn). - The unique identifier of the device (
DeviceId). - The timestamp of when the event happened (
Timestamp). - A report identifier (
ReportId).
- The command line that initiated the process (
In summary, this query helps in detecting and investigating potential unauthorized network scanning activities by identifying when and where the Nmap tool is being used within the network.
Details
Darren Mayes
Released: November 10, 2024
Tables
DeviceProcessEvents
Keywords
DeviceProcessEventsDeviceNameAccountUpnDeviceIdTimestampReportId
Operators
agocontainsprojectand