| ID | Technique | Tactic |
|---|---|---|
| T1595.001 | Scanning IP Blocks | Reconnaissance |
| T1595.002 | Vulnerability Scanning | Reconnaissance |
Detection: Windows Detect Network Scanner Behavior
Description
The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
Search
1
2| tstats `security_content_summariesonly` count values(All_Traffic.action) as action values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dvc) as dvc values(All_Traffic.direction) as direction values(All_Traffic.protocol) as protocol values(All_Traffic.protocol_version) as protocol_version values(All_Traffic.src_port) as src_port values(All_Traffic.transport) as transport dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by All_Traffic.app All_Traffic.src All_Traffic.src_ip All_Traffic.user All_Traffic.vendor_product _time span=5m
3| `drop_dm_object_name(All_Traffic)`
4| rex field=app ".*\\\(?<process_name>.*)$"
5| where port_count > 10 OR dest_count > 10
6| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by user,app,process_name
7| `security_content_ctime(firstTime)`
8| `security_content_ctime(lastTime)`
9| `windows_detect_network_scanner_behavior_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 3 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_summariesonly | summariesonly=summariesonly_config allow_old_summaries=oldsummaries_config fillnull_value=fillnull_config`` |
| windows_detect_network_scanner_behavior_filter | search * |
windows_detect_network_scanner_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
reconnaissance
DE.AE
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel.
Known False Positives
Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| A process exhibiting network scanning behavior [$process_name$] was detected on $src$ | user | user | 20 |
| A process exhibiting network scanning behavior [$process_name$] was detected on $src$ | src | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| process_name | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 9