Name:Windows Detect Network Scanner Behavior id:78e678d2-bf64-4fe6-aa52-2f7b11dddee7 version:1 date:2024-12-26 author:Steven Dick status:production type:Anomaly Description:The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. Data_source:
-Sysmon EventID 3
search:| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?<process_name>.*)$" | where port_count > 10 OR dest_count > 10 | stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_detect_network_scanner_behavior_filter`
how_to_implement:This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. known_false_positives:Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. References: -https://attack.mitre.org/techniques/T1595 drilldown_searches: name:'View the detection results for - "$src$" and "$user$"' search:'%original_detection_search% | search src = "$src$" user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src$" and "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Network Discovery' - 'Windows Discovery Techniques' asset_type:Endpoint confidence:50 impact:50 message:A process exhibiting network scanning behavior [$process_name$] was detected on $src$ mitre_attack_id: - 'T1595' - 'T1595.001' - 'T1595.002' observable: name:'src' type:'IP Address' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' name:'process_name' type:'Process' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'All_Traffic.dest_port' - 'host' - 'All_Traffic.app' - 'All_Traffic.src' - 'All_Traffic.src_ip' - 'All_Traffic.user' - '_time' risk_score:25 security_domain:network
