Extensive IP and port scanning reconnaissance

  • Updated on Jul 24, 2024
  • Published on Jul 23, 2024
Prev Next

Attack technique

Technique name: Network Discovery - Port Scan And IP Scan

MITRE ATT&CK

  • Tactic: Discovery
  • Technique: Network Service Discovery (T1046)

Technique description
Network enumeration is a critical phase in cybersecurity where attackers actively gather information about a target network to identify vulnerabilities and potential entry points. It involves various methods such as scanning, OS fingerprinting, and service discovery to comprehensively map out network topology and infrastructure. By systematically probing network devices, services, and configurations, attackers aim to gather crucial intelligence that could facilitate unauthorized access, data exfiltration, or disruption of services.

Threat hunting theses breakdown

Network Enumeration

Relevant data sources: EDR logs

Thesis explanation
The thesis identifies suspicious behavior where a single source IP address communicates with over 30 different destination IPs using a subset of critical ports (3389, 445, 135, 139, 22, 4444, 23, 5900, 1433, 9443) within a one-hour timeframe.

Blind spots

  • Low and slow network scans over a long time period.
  • Scans that focus on less than three unique ports.
  • Scans that target less than 30 IP addresses.

Recommended investigation flow

  • Investigate the initiating process
    • File Reputation -
      • Is the hash clean on Virus Total?
      • Is the file signed by a trustworthy company?
      • Was the file written to disk soon before this action took place?
      • Is the file prevalent in the organization? does it appear on a large number of machines?
  • Does the activity happen repetitively? Repetitive actions may suggest authorized scanning activities.
  • Investigate the user that executed the process
    • Is the user an IT or Security personnel?
  • Find whether network requests made by the attacker got a successful result (Accept/Deny)
    • In the event of successful network requests on ports 22, 3389, and 445, it is crucial to prioritize the investigation of these requests. These ports are linked to essential services such as SSH, RDP, and SMB, which are frequent targets for attackers aiming for lateral movement within networks.
    • Check what services are running on the target machines, are they updated and patched?
    • Verify if there are any indications from the IP address suggesting unauthorized access by the attacker to another machine.

Hunting queries

Github