Detection: Windows Detect Network Scanner Behavior

Updated Date: 2025-01-09 ID: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 Author: Steven Dick Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.

1
2| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m 
3| `drop_dm_object_name(All_Traffic)` 
4| rex field=app ".*\\\(?<process_name>.*)$" 
5| where port_count > 10 OR dest_count > 10 
6| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)` 
9| `windows_detect_network_scanner_behavior_filter`

Data Source

Name Platform Sourcetype Source
Sysmon EventID 3 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_detect_network_scanner_behavior_filter search *
windows_detect_network_scanner_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1595 Active Scanning Reconnaissance
T1595.001 Scanning IP Blocks Reconnaissance
T1595.002 Vulnerability Scanning Reconnaissance
Reconnaissance
DE.AE
CIS 13
Ember Bear
TeamTNT
APT28
APT29
APT41
Aquatic Panda
Dragonfly
Earth Lusca
Ember Bear
Magic Hound
Sandworm Team
TeamTNT
Volatile Cedar
Winter Vivern

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel.

Known False Positives

Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

A process exhibiting network scanning behavior [$process_name$] was detected on $src$

Risk Object Risk Object Type Risk Score Threat Objects
user user 25 process_name
src system 25 process_name

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2