Detection rules › Splunk
Windows Detect Network Scanner Behavior
The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | T1595.001 Active Scanning: Scanning IP Blocks, T1595.002 Active Scanning: Vulnerability Scanning |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT All_Traffic.dest_port IN (25, 3268, 389, 443, 53, 5353, 80, 8080, 8443, 88) All_Traffic.app="*\\*" All_Traffic.dest_port<32000 sourcetype="XmlWinEventLog" BY _time, All_Traffic.app, All_Traffic.src, All_Traffic.src_ip, All_Traffic.user, All_Traffic.vendor_product
Stage 2: search
search
Stage 3: rex
rex field=app ...
Stage 4: where
where (dest_count>10 OR port_count>10)
Stage 5: stats
stats BY user, app, process_name
Stage 6: search
search
Stage 7: search
search
Stage 8: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | DestinationPort | in | 25, 3268, 389, 443, 53, 5353, 80, 8080, 8443, 88 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Traffic.app | eq |
|
All_Traffic.dest_port | lt |
|
dest_count | gt |
|
port_count | gt |
|
sourcetype | eq |
|