masscan is a performant port scanner, it produces results similar to nmap

Hunt Hypothesis

Masscan’s rapid port scanning behavior may indicate an adversary attempting to map network assets for potential exploitation. SOC teams should proactively hunt for this activity in Azure Sentinel to identify early signs of reconnaissance and potential lateral movement attempts.

YARA Rule

rule hacktool_multi_masscan
{
    meta:
        description = "masscan is a performant port scanner, it produces results similar to nmap"
        reference = "https://github.com/robertdavidgraham/masscan"
        author = "@mimeframe"
        id = "7eac2470-b3e3-530a-a123-594776eb1c77"
    strings:
        $a1 = "EHLO masscan" fullword wide ascii
        $a2 = "User-Agent: masscan/" wide ascii
        $a3 = "/etc/masscan/masscan.conf" fullword wide ascii
        $b1 = "nmap(%s): unsupported. This code will never do DNS lookups." wide ascii
        $b2 = "nmap(%s): unsupported, we do timing WAY different than nmap" wide ascii
        $b3 = "[hint] I've got some local priv escalation 0days that might work" wide ascii
        $b4 = "[hint] VMware on Macintosh doesn't support masscan" wide ascii
    condition:
        all of ($a*) or any of ($b*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

References

• https://github.com/robertdavidgraham/masscan
• Source Rule

False Positive Guidance

• Scenario: A system administrator is performing a scheduled network discovery using Masscan as part of a routine security assessment.
  Filter/Exclusion: Check for the presence of a known administrative task or scheduled job (e.g., sudo masscan --input-file=ports.txt) or filter by source IP of the admin workstation.

• Scenario: A Nmap scan is being run by a security team to validate firewall rules or assess internal network connectivity.
  Filter/Exclusion: Filter by source IP of the security team’s internal scan server or check for the presence of a known scan job in the system’s task scheduler (e.g., crontab or task scheduler).

• Scenario: A PortScan job is executed by a third-party monitoring tool to detect open ports for compliance purposes.
  Filter/Exclusion: Use a filter based on the source IP of the monitoring tool or check for the presence of a specific tool identifier in the scan metadata.

• Scenario: A CI/CD pipeline runs a port scan as part of a vulnerability assessment during a deployment.
  Filter/Exclusion: Filter by the source IP of the CI/CD server or include a tag in the scan command (e.g., --tag=ci-cd) to identify legitimate scans.

• Scenario: A network monitoring tool like Zabbix or SolarWinds performs a passive port scan to detect service availability.
  Filter/Exclusion: Filter based on the source IP of the monitoring tool or check for the presence of a known monitoring tool in the system logs.