In a recent Tech Talk hosted by Dan Gunter from Insane Cyber, the discussion centered around how defenders can identify early-stage reconnaissance activity carried out by threat groups such as APT34 and APT39. The talk emphasized network scanning behaviors and offered practical methods to detect such activity during the reconnaissance and discovery phases of an attack.

Core Detection Areas

Four key types of scanning techniques were outlined in the presentation:

• Port scanning

• Service identification

• Operating system detection

• Vulnerability scanning

The tools Nmap and Nikto were highlighted as commonly used by both attackers and security professionals. Both tools are modular, meaning attackers can choose which functions to run, influencing what signs are left behind on the network.

Indicators of Nmap Activity

Nmap has long been a staple in both penetration testing and adversarial operations. It allows users to map out open ports, identify services, detect OS fingerprints, and more.

When using aggressive scan options (such as nmap -A), attackers can gather detailed intelligence, including:

• Lists of open ports and their associated services

• Version numbers of detected services

• OS fingerprinting results

• Additional details such as SMB-related information

Common detection indicators include:

• Specific User-Agent strings (e.g., identifiers used by the Nmap Scripting Engine)

• Known probe paths like /trinity.txt.back

• A spike in HTTP 404 errors (as non-existent paths are probed)

• HTTP 501 errors (unsupported methods)

• SMB enumeration patterns (e.g., access denied errors, disabled account queries)

Stealth Scanning: SYN Method

Both APT34 and APT39 have been observed using SYN scanning (nmap -sS), a quieter technique that avoids completing the TCP handshake.

Here’s how it works:

• A SYN packet is sent to a target port

• If the port is open, the server replies with a SYN-ACK

• The handshake is then aborted, avoiding a full connection

This technique leaves fewer direct clues, but creates noticeable anomalies in traffic, such as:

• Sudden increases in TCP RST (reset) packets from target hosts

• Traffic volume changes depending on scan scope (how many ports or hosts are probed)

Nikto Detection Clues

Nikto is another scanning tool, mainly used for identifying vulnerabilities in web servers. Unlike Nmap’s stealth options, Nikto’s scans are more noticeable.

Indicators include:

• Hardcoded URLs triggered during scanning

• User-Agent headers revealing tool version and test signatures

• Exposure of directory listings or vulnerability details

Evasion tactics attackers might use:

• Encoding URLs to avoid signature matching

• Using custom User-Agent strings to conceal the tool’s identity

Even with these tricks, underlying patterns in HTTP traffic—such as sudden surges in 404 errors—remain visible and can give defenders clues about ongoing scans.

Conclusion

The key takeaway from the talk was this: attackers may attempt to hide traces of the tools they use, but they can’t easily mask behavioral patterns or shifts in traffic flow. Defenders are advised to move beyond signature-based detection and focus instead on anomaly-based monitoring, watching for deviations in network behavior that suggest scanning or probing is taking place.