Active Scanning Reconnaissance Analysis: T1595 – Port Scan & Service Enumeration

by

SIEM Alert Details

Alert ID: SIEM-RECON-PORTSCAN-7842
Alert Time: 2024-02-01 08:22:15 EST
Severity: MEDIUM (65/100)
Source: Splunk Enterprise Security Correlation Rule
Rule: “Internal Port Scan Detected – Horizontal Sweep”
MITRE ATT&CK: T1595 – Active Scanning (Sub-technique T1595.001: Scanning IP Blocks)

Alert Details:

Correlation Rule: "Internal Port Scan - Multiple Hosts, Multiple Ports"
Time Window: 08:15 - 08:22 EST (7 minutes)

Source Host: 192.168.45.122 (Hostname: DEV-WS-089, User: jmartinez)
Target Range: 192.168.0.0/16 (entire internal network)
Scan Pattern:
- TCP SYN scan on ports: 22, 80, 443, 445, 3389, 3306, 5432, 8080, 8443
- UDP scan on ports: 53, 123, 161, 500
- Total packets: 124,567
- Unique targets hit: 4,823 hosts (out of ~6,500)

Detection Logic:
- Zeek (Bro) conn.log shows unusually high number of connections from single source
- Firewall logs (Palo Alto) show denied outbound connections from same source
- Suricata IDS signature: "ET SCAN Potential SSH Scan" fired 1,245 times
- Statistical anomaly: Source host typically generates <100 connections/hour; now >120,000 in 7 minutes

Additional Context:
- Source host is a developer workstation in Engineering department
- User jmartinez logged in at 08:00 EST (normal start time)
- No known pentesting activity scheduled for today
- No change management tickets for scanning tools

Correlated Events:

08:15:32 - First scan packet detected (Zeek)
08:16:45 - Suricata IDS alerts begin (SSH scan)
08:18:20 - Firewall logs show repeated denied outbound
08:20:10 - Destination hosts start responding with RST
08:22:00 - SIEM correlation rule thresholds exceeded
08:22:15 - Alert generated in Splunk

Threat Intelligence Context:

  • Scan pattern matches popular scanning tools: masscan, nmap
  • No known threat actor association yet; likely compromised host or unauthorized activity
  • Engineering department hosts often have elevated network access

SOC Investigation Process

Phase 1: Alert Validation & Initial Triage (08:22-08:40 EST)

Tools: Splunk ES, Palo Alto Firewall Logs, Zeek Logs, Active Directory

  1. Alert Verification:
  • Confirmed Splunk correlation via drill-down into raw logs
  • Verified source IP = DEV-WS-089 (Engineering)
  • Checked Zeek conn.log for connection counts:
    Source: 192.168.45.122 Destination count: 4,823 unique IPs Total connections: 124,567 Protocols: TCP (89%), UDP (11%)
  • Confirmed no pentest scheduled in change management system
  1. Immediate Actions:
  • Queried CrowdStrike Falcon for any alerts on source host (none)
  • Checked if user jmartinez is currently active (logged in since 08:00)
  • Notified Engineering manager of suspicious activity
  • Isolated host via network access control (Cisco ISE) to prevent further scanning
  1. Initial Assessment:
  • Host appears to be running a scanning tool (masscan/nmap)
  • No signs of compromise from EDR yet (no malware detections)
  • Could be intentional (user running scan) or malware-driven

Phase 2: Endpoint Forensics (08:40-09:45 EST)

Tools: CrowdStrike Falcon, Velociraptor, Windows Event Logs, Sysmon

  1. Process Analysis:
  • CrowdStrike Falcon process explorer revealed:
    Process: nmap.exe (PID: 7842) Path: C:\Users\jmartinez\Downloads\scanning-tools\nmap-7.94\nmap.exe Command Line: nmap -sS -p 22,80,443,445,3389,3306,5432,8080,8443 192.168.0.0/16 Parent: cmd.exe (PID: 7821) Parent Command: C:\Windows\System32\cmd.exe /k nmap_scan.bat
  • Found batch file: C:\Users\jmartinez\Desktop\nmap_scan.bat with exact scan command
  • User also had Wireshark and Masscan installed in Downloads folder
  1. User Activity Timeline:
  • 08:02 – User logged into workstation
  • 08:05 – Downloaded “network-assessment-tools.zip” from a personal cloud storage (not approved)
  • 08:08 – Extracted nmap, masscan, wireshark
  • 08:12 – Executed nmap_scan.bat
  • 08:22 – Scan detected; host isolated
  1. Malware Check:
  • Full memory scan via Velociraptor: no malicious code found
  • File hashes submitted to VirusTotal: clean (only known good tools)
  • No persistence mechanisms, no unusual registry changes
  1. Network Artifacts:
  • Firewall logs show all scanning traffic denied (internal segmentation blocked)
  • No successful connections to any internal host (all dropped)
  • No data exfiltration observed

Phase 3: Scope & Impact Assessment (09:45-10:30 EST)

Tools: Splunk ES, Tenable.io, ServiceNow CMDB

  1. Internal Network Impact:
  • Scanned hosts include critical servers (domain controllers, database servers)
  • No successful connections means no vulnerability data exfiltrated
  • However, scanning itself could have caused performance degradation on some older systems (none reported)
  1. Regulatory/Compliance Impact:
  • PCI DSS requirement 11.1: Unauthorized scanning could be violation
  • HIPAA: Scanned hosts contain ePHI (medical research servers)
  • Internal policy violation: User performed unauthorized security testing
  1. Business Impact:
  • Minimal: No data breach, no service disruption
  • Potential productivity loss if scanning caused network congestion (none observed)
  • Reputational: Internal incident only

Phase 4: User Interview & Root Cause (10:30-11:15 EST)

Tools: ServiceNow, Slack, Manager Meeting

  1. User Interview (with manager present):
  • User jmartinez admitted to running nmap scan
  • Reason: “I wanted to learn more about our network for a security presentation”
  • Unaware that scanning without authorization violates policy
  • Downloaded tools from personal cloud storage (not approved)
  • Did not inform SOC or IT beforehand
  1. Policy Violation Confirmation:
  • No authorized penetration testing request
  • No security awareness training on scanning policy (user had not completed)
  • Tools downloaded from unauthorized source (potential supply chain risk)
  1. Disciplinary Action:
  • Manager notified; HR will handle
  • User required to retake security awareness training
  • Temporary suspension of admin privileges pending review

Phase 5: Remediation & Prevention (11:15-12:30 EST)

Tools: CrowdStrike Falcon, Microsoft Intune, Group Policy, ServiceNow

  1. Host Remediation:
  • Removed unauthorized tools from workstation
  • Cleared batch files and downloads
  • Re-imaged workstation as precaution (though no compromise)
  • Re-enabled network access after cleanup
  1. Policy & Control Enhancements:
  • Updated endpoint protection policy to block execution of scanning tools (Application Control)
  • Implemented PowerShell logging to detect scanning activity earlier
  • Added SIEM correlation for “masscan” and “nmap” process names
  • Created automated response: if scanning detected, quarantine host and notify SOC
  1. User Education:
  • Sent department-wide email about scanning policy
  • Updated security awareness training to include scanning prohibition
  • Created internal “How to request authorized penetration testing” process

Phase 6: Detection Improvements (12:30-13:00 EST)

Tools: Splunk ES, Suricata, Zeek

  1. SIEM Rule Tuning:
  • Enhanced correlation rule to reduce false positives
  • Added whitelist for authorized scanning tools (e.g., approved vulnerability scanners)
  • Integrated with ServiceNow to check for authorized change tickets
  1. Network Detection:
  • Updated Suricata signatures to detect newer scanning tools
  • Enabled anomaly detection for scanning patterns in Zeek

Jira Incident Report

Ticket: SOC-2024-031
Summary: T1595 – Internal Active Scanning by Unauthorized User
Status: RESOLVED
Resolution: POLICY VIOLATION – No Malicious Intent
Priority: P3 – LOW (Actual impact) but escalated to P2 due to policy breach
Labels: T1595, active-scanning, reconnaissance, policy-violation, engineering
Components: Network-Security, User-Behavior, Policy-Enforcement

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Splunk ES correlation rule (port scan detection) + Zeek logs.
  • Alert: “Internal Port Scan Detected – Horizontal Sweep”.
  • Source Host: DEV-WS-089 (Engineering) – User: jmartinez.
  • Time: 2024-02-01 08:22 EST (detected), scan started at 08:15 EST.
  • Technique: MITRE ATT&CK T1595.001 (Active Scanning) – unauthorized internal reconnaissance.

2. Technical Analysis:

  • Scan Details:
    • Tool Used: nmap.exe (version 7.94) downloaded from unauthorized source.
    • Command: nmap -sS -p 22,80,443,445,3389,3306,5432,8080,8443 192.168.0.0/16
    • Duration: 7 minutes (08:15-08:22)
    • Packets: 124,567
    • Targets: 4,823 internal hosts across all subnets
    • Protocols: TCP SYN scan, UDP scan on select ports
  • Endpoint Analysis:
    • Process: nmap.exe running from user’s Downloads folder
    • Parent Process: cmd.exe executed batch file from Desktop
    • File Hashes: nmap.exe (SHA256: 7a8b9c…), all clean (legitimate tool)
    • No Malware: No evidence of compromise; user-initiated activity
  • Network Impact:
    • All scan traffic blocked by firewall (inter-VLAN ACLs)
    • No successful connections to any internal host
    • No data exfiltration; no lateral movement

3. Investigation Findings:

  • Timeline Reconstruction: 08:02 - User logs in, starts workstation 08:05 - Downloads "network-assessment-tools.zip" from personal cloud 08:08 - Extracts tools, reviews nmap documentation 08:12 - Executes nmap_scan.bat 08:15 - Scan begins, triggers IDS signatures 08:22 - SIEM correlation alert triggers 08:25 - Host isolated via network access control 08:30 - User contacted by manager 08:45 - Investigation begins
  • User Intent: Non-malicious; user wanted to learn network security for a presentation. No malicious intent, but severe policy violation.
  • Policy Violations:
    • Unauthorized scanning of internal network (violates Acceptable Use Policy)
    • Downloading unapproved software (violates Software Asset Management policy)
    • Potential exposure of sensitive network topology (no actual data exfiltration)
  • Indicators of Compromise (IoCs):
    • Process: nmap.exe, masscan.exe (present on host)
    • Network: High connection count from single source
    • File: nmap_scan.bat on Desktop
    • Registry: N/A

4. Containment Actions:

  • Immediate Containment (08:22-08:30 EST):
    • Isolated host via Cisco ISE (network quarantine).
    • Blocked all outbound traffic from source IP at firewall.
    • Disabled user account temporarily.
  • Forensic Collection (08:30-09:45 EST):
    • Captured process list, network connections, file system artifacts via CrowdStrike.
    • Retrieved batch file and user download history.
    • Verified no malware via memory analysis.
  • Remediation (09:45-12:30 EST):
    • Removed unauthorized tools from workstation.
    • Re-imaged host as precaution.
    • Re-enabled network access after cleanup.

5. Root Cause Analysis:

  • Primary Cause: User’s lack of awareness about scanning policy, combined with unauthorized tool download.
  • Contributing Factors:
    1. Policy Gaps: No technical controls blocking execution of scanning tools.
    2. Training Deficiency: User had not completed security awareness training.
    3. Monitoring Gap: Scan was detected after 7 minutes; could be earlier.
    4. Network Segmentation: Firewalls prevented actual damage, but scanning still occurred.

6. Business Impact:

  • Operational Impact: Low; no service disruption.
  • Data Exposure: None.
  • Reputational Impact: Minimal (internal incident).
  • Compliance Impact: Potential PCI/HIPAA violation due to scanning of sensitive systems; mitigated by no data access.

7. Remediation & Prevention:

Completed Actions:

  • [x] Host cleaned and returned to service.
  • [x] User disciplined and re-trained.
  • [x] Unauthorized tools removed.

Technical Controls Enhanced:

  • [x] Deployed Application Control (CrowdStrike) to block nmap/masscan execution.
  • [x] Enhanced SIEM correlation for early detection of scanning tools.
  • [x] Enabled PowerShell logging to detect scanning script execution.
  • [x] Created automated response playbook for scanning incidents.

Process Improvements:

  • [x] Updated acceptable use policy to explicitly prohibit unauthorized scanning.
  • [x] Created internal process for requesting authorized security testing.
  • [x] Added scanning policy to new hire training.
  • [x] Communicated incident to all employees as learning opportunity.

8. Lessons Learned:

  • Detection Gap: Could have detected tool download earlier via DLP/endpoint alerts.
  • Prevention Gap: Need to block execution of known scanning tools on non-admin workstations.
  • User Awareness: Employees need clearer guidance on what constitutes unauthorized activity.
  • Network Segmentation: Worked well to prevent actual compromise; scanning was blocked.

9. Resolution Verification:

  • Technical Verification:
    • No further scanning activity from same host.
    • Application control blocking nmap execution.
    • SIEM rules updated and tested.
  • Process Verification:
    • User completed re-training.
    • Policy updated and communicated.

10. Conclusion:

This incident involved an employee conducting unauthorized internal network scanning using standard tools, driven by curiosity rather than malicious intent. While no actual damage occurred, the activity violated multiple policies and could have exposed network vulnerabilities if successful. The response focused on remediation, policy reinforcement, and technical controls to prevent recurrence.

Closure Rationale: Host remediated, user educated, controls enhanced. No evidence of compromise or malicious intent.

Follow-up Actions:

  1. Conduct department-wide security refresher (ETA: 1 week)
  2. Implement tool-blocking policy via AppLocker (ETA: 2 weeks)
  3. Review network segmentation for all sensitive subnets (ETA: 1 month)

Analyst: [Walter White ], SOC Analyst
Date: 2024-02-01 13:30 EST
Approval: SOC Manager
References: MITRE ATT&CK T1595, NIST SP 800-61 (Incident Handling), CIS Control 7.2

Leave a Comment