Potential Subnet Scanning Activity from Compromised Host

  1[metadata]
  2creation_date = "2025/03/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/09/02"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects potential subnet scanning activity from a compromised host. Subnet scanning is a common reconnaissance
 11technique used by attackers to identify live hosts within a network range. A compromised host may exhibit subnet
 12scanning behavior when an attacker is attempting to map out the network topology, identify vulnerable hosts, or prepare
 13for further exploitation. This rule identifies potential subnet scanning activity by monitoring network connection
 14attempts from a single host to a large number of hosts within a short time frame. ESQL rules have limited fields
 15available in its alert documents. Make sure to review the original documents to aid in the investigation of this alert.
 16"""
 17from = "now-61m"
 18interval = "1h"
 19language = "esql"
 20license = "Elastic License v2"
 21name = "Potential Subnet Scanning Activity from Compromised Host"
 22note = """ ## Triage and analysis
 23
 24> **Disclaimer**:
 25> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 26
 27### Investigating Potential Subnet Scanning Activity from Compromised Host
 28
 29Subnet scanning is a reconnaissance method used by attackers to map network topology and identify active hosts. Adversaries exploit compromised hosts to perform these scans, seeking vulnerabilities for further attacks. The detection rule identifies such activity by monitoring Linux hosts for numerous connection attempts to different IPs within a short period, indicating potential scanning behavior. This helps in early detection and mitigation of network threats.
 30
 31### Possible investigation steps
 32
 33- Review the process executable identified in the alert to determine if it is a known or legitimate application that should be making network connections.
 34- Examine the destination IP addresses to identify any patterns or known malicious IPs, and check if these IPs are part of the organization's network or external.
 35- Investigate the specific host (using the agent.id) to assess if there are any signs of compromise, such as unusual processes or unauthorized access.
 36- Correlate the event timestamp with other logs or alerts to identify any concurrent suspicious activities or anomalies on the host.
 37- Check for any recent changes or updates on the host that might explain the scanning behavior, such as new software installations or configuration changes.
 38
 39### False positive analysis
 40
 41- High-volume legitimate network monitoring tools may trigger the rule. Identify and exclude these tools by adding their process executables to an exception list.
 42- Automated backup systems that connect to multiple hosts within a short timeframe can be mistaken for scanning activity. Review and exclude these systems by their process executable or agent ID.
 43- Security software performing routine network health checks might generate false positives. Verify these activities and create exceptions based on the specific process executable involved.
 44- Internal IT scripts or administrative tasks that involve connecting to numerous hosts for maintenance purposes can trigger alerts. Document these tasks and exclude them by process executable or agent ID.
 45- Cloud-based services or applications that require frequent connections to various hosts for functionality may appear as scanning. Identify these services and exclude them by their process executable or agent ID.
 46
 47### Response and remediation
 48
 49- Isolate the compromised host immediately from the network to prevent further scanning and potential lateral movement by the attacker.
 50- Terminate any suspicious processes identified by the executable name in the alert to stop ongoing scanning activities.
 51- Conduct a thorough examination of the compromised host to identify and remove any malware or unauthorized access tools that may have been installed.
 52- Reset credentials and review access permissions for the compromised host to ensure no unauthorized access persists.
 53- Update and patch the compromised host and any other vulnerable systems identified during the investigation to close security gaps.
 54- Monitor network traffic closely for any signs of continued scanning or other suspicious activities from other hosts, indicating potential further compromise.
 55- Escalate the incident to the security operations center (SOC) or incident response team for a comprehensive investigation and to determine if additional hosts are affected.
 56"""
 57risk_score = 21
 58rule_id = "860f2a03-a1cf-48d6-a674-c6d62ae608a1"
 59setup = """## Setup
 60
 61This rule requires data coming in from Elastic Defend.
 62
 63### Elastic Defend Integration Setup
 64Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 65
 66#### Prerequisite Requirements:
 67- Fleet is required for Elastic Defend.
 68- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 69
 70#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 71- Go to the Kibana home page and click "Add integrations".
 72- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 73- Click "Add Elastic Defend".
 74- Configure the integration name and optionally add a description.
 75- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 76- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 77- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 78- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 79For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 80- Click "Save and Continue".
 81- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 82For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 83"""
 84severity = "low"
 85tags = [
 86    "Domain: Endpoint",
 87    "OS: Linux",
 88    "Use Case: Threat Detection",
 89    "Tactic: Discovery",
 90    "Data Source: Elastic Defend",
 91    "Resources: Investigation Guide",
 92]
 93timestamp_override = "event.ingested"
 94type = "esql"
 95query = '''
 96from logs-endpoint.events.network-*
 97| keep @timestamp, host.os.type, event.type, event.action, process.executable, destination.ip, agent.id, host.name
 98| where
 99    @timestamp > now() - 1 hours and
100    host.os.type == "linux" and
101    event.type == "start" and
102    event.action == "connection_attempted" and
103    not (
104      process.executable in ("/usr/local/bin/prometheus", "/app/extra/chrome") or
105      process.executable like "/usr/local/prometheus/*/prometheus" or
106      process.executable like "/usr/share/elastic-agent/*" or
107      process.executable like "/var/lib/docker/overlay*connectord" or
108      process.executable like "/opt/rumble/bin/rumble-agent*" or
109      process.executable like "/opt/gitlab/*" or
110      process.executable like "/opt/google/chrome/chrome*"
111    )
112| stats
113    Esql.event_count = count(),
114    Esql.destination_ip_count_distinct = count_distinct(destination.ip),
115    Esql.agent_id_count_distinct = count_distinct(agent.id),
116    Esql.host_name_values = values(host.name),
117    Esql.agent_id_values = values(agent.id)
118  by process.executable
119| where
120    Esql.agent_id_count_distinct == 1 and
121    Esql.destination_ip_count_distinct > 250
122| sort Esql.event_count asc
123| limit 100
124'''
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128
129[[rule.threat.technique]]
130id = "T1046"
131name = "Network Service Discovery"
132reference = "https://attack.mitre.org/techniques/T1046/"
133
134[rule.threat.tactic]
135id = "TA0007"
136name = "Discovery"
137reference = "https://attack.mitre.org/tactics/TA0007/"