ExtraHop Alert Details
Alert ID: EXTRAHOP-SERVICE-SCAN-1046-7842 Alert Time: 2024-02-24 11:30:22 EST Severity: MEDIUM (72/100) Source: ExtraHop Reveal(x) Rule: “Internal Port Scan – Horizontal Movement Detected” MITRE ATT&CK: T1046 – Network Service Discovery
Alert Details:
Detection: Horizontal port scan originating from internal host
Source Host: 192.168.45.78 (DEV-WS-045 – Engineering) Time Window: 11:15-11:30 EST Scan Pattern: TCP SYN scan across multiple subnets
Scan Details:
Target Range: 192.168.0.0/16 (entire internal network)
Ports Scanned: 22 (SSH), 80 (HTTP), 443 (HTTPS), 445 (SMB), 3389 (RDP), 3306 (MySQL), 5432 (PostgreSQL), 8080 (HTTP-Alt), 8443 (HTTPS-Alt)
Total Packets: 12,847
Unique Targets: 847 hosts
Successful Connections: 124 hosts (responded to scan)
Discovered Services:
SSH (22): 47 hosts (including 12 Linux servers)
SMB (445): 89 hosts (file servers, workstations)
RDP (3389): 34 hosts (potential lateral movement targets)
MySQL (3306): 12 hosts (database servers)
PostgreSQL (5432): 8 hosts
HTTP/HTTPS: 56 hosts
Detection Logic:
12,847 SYN packets in 15 minutes (anomalous for this host)
Sequential scanning pattern (nmap/masscan)
Host DEV-WS-045 normally generates minimal network traffic
Process: cmd.exe launching nmap (from EDR logs)
Pattern matches adversary lateral movement preparation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify ExtraHop alert
ExtraHop Console
Confirmed internal port scan
2. Process Investigation
Identify scanning process
CrowdStrike Falcon
nmap.exe running from user’s Downloads folder
3. User Interview
Contact dev user
Teams, Phone
User claims “security research” – unauthorized
4. Immediate Action
Isolate host
CrowdStrike
DEV-WS-045 quarantined
5. Tool Removal
Delete nmap
CrowdStrike Live Response
nmap.exe and scan results removed
6. User Remediation
User counseling
Manager, HR
Policy violation documented
Jira Incident Report
Ticket: SOC-2024-123 Summary: T1046 – Internal Network Service Scan from Engineering Workstation Status: RESOLVED Resolution: POLICY VIOLATION – Unauthorized Scanning Priority: P3 – LOW Labels: T1046, service-discovery, port-scan, extrahop, policy-violation Components: Network-Security, User-Behavior
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: ExtraHop Reveal(x).
Alert: “Internal Port Scan – Horizontal Movement Detected”.
Source Host: DEV-WS-045 (Engineering Department, IP 192.168.45.78).
Time: 2024-02-24 11:30 EST.
Technique: MITRE ATT&CK T1046 – Network Service Discovery.
2. Technical Analysis:
Scan Details:
Tool: nmap.exe (version 7.94)
Command: nmap -sS -p 22,80,443,445,3389,3306,5432,8080,8443 192.168.0.0/16
Duration: 15 minutes
Packets: 12,847
Targets: 847 hosts
Successes: 124 responsive hosts
Discovered Services:
SSH (22): 47 hosts (including 12 Linux servers)
SMB (445): 89 hosts (file servers, workstations)
RDP (3389): 34 hosts (potential lateral movement targets)
MySQL (3306): 12 hosts (database servers)
PostgreSQL (5432): 8 hosts
HTTP/HTTPS: 56 hosts
User Intent:
User claimed “researching network security for a presentation”
No malicious intent identified
No authorization obtained for scanning
Scan results saved to C:\Users\devuser\Desktop\scan_results.txt
Policy Violation:
Unauthorized network scanning (violates Acceptable Use Policy)
Use of prohibited tools (nmap)
Discovery of internal services could aid attackers
3. Investigation Findings:
Timeline:
11:15-11:30 – Scan performed
11:30 – ExtraHop alert
11:32 – SOC investigates
11:35 – Host isolated
11:38 – nmap identified and removed
11:40 – User interview
Indicators of Compromise (IoCs):
Files:
– C:\Users\devuser\Downloads\nmap-7.94-setup.exe
– C:\Program Files (x86)\Nmap\nmap.exe
– C:\Users\devuser\Desktop\scan_results.txt
Network:
– Scan pattern to ports 22,80,443,445,3389,3306,5432,8080,8443
4. Containment Actions:
Immediate Actions:
Isolated DEV-WS-045 via CrowdStrike.
Removed nmap and scan results.
No further action needed (non-malicious).
User Remediation:
User counseled on policy violation.
Required to complete security training.
Documentation sent to manager.
Network Impact:
Scan caused no service disruption.
Discovered services documented for security team.
5. Root Cause Analysis:
Primary Cause: User conducted unauthorized network scanning.
Contributing Factors:
No application control blocking nmap.
User unaware of scanning policy.
Curiosity about network security.
6. Business Impact:
Operational Impact: None.
Security Impact: Internal service inventory exposed to user (already had access).
Policy Impact: Policy violation documented.
7. Remediation & Prevention:
Completed Actions:
nmap removed.
User educated.
Policy reinforced.
Technical Controls Enhanced:
Created alert for nmap execution.
Enhanced network scanning detection.
Blocked nmap via application control.
8. Conclusion:
An engineer conducted unauthorized network scanning using nmap, discovering 124 internal hosts and their services. ExtraHop detected the scan pattern, enabling identification and removal of the tool. The activity was a policy violation, not malicious.
Closure Rationale: nmap removed; user educated; policy violation documented.
Analyst: [Walter White], SOC Analyst Date: 2024-02-24 12:30 EST