Potential SYN-Based Port Scan Detected

  1[metadata]
  2creation_date = "2023/05/17"
  3integration = ["endpoint", "network_traffic", "panw"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a
 11target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this
 12method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch
 13targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading
 14to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts
 15from one source host to 10 or more destination ports using 2 or less packets per port.
 16"""
 17from = "now-9m"
 18index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
 19language = "kuery"
 20license = "Elastic License v2"
 21max_signals = 5
 22name = "Potential SYN-Based Port Scan Detected"
 23risk_score = 21
 24rule_id = "bbaa96b9-f36c-4898-ace2-581acb00a409"
 25severity = "low"
 26tags = [
 27    "Domain: Network",
 28    "Tactic: Discovery",
 29    "Tactic: Reconnaissance",
 30    "Use Case: Network Security Monitoring",
 31    "Data Source: Elastic Defend",
 32    "Data Source: PAN-OS",
 33    "Resources: Investigation Guide"
 34]
 35timestamp_override = "event.ingested"
 36type = "threshold"
 37
 38query = '''
 39destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
 40'''
 41note = """## Triage and analysis
 42
 43> **Disclaimer**:
 44> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 45
 46### Investigating Potential SYN-Based Port Scan Detected
 47
 48SYN-based port scanning is a reconnaissance technique where attackers send SYN packets to multiple ports to identify open services. This method helps adversaries map network vulnerabilities for potential exploitation. The detection rule identifies such scans by flagging connection attempts from internal IPs to multiple ports with minimal packet exchange, indicating a low-risk reconnaissance activity.
 49
 50### Possible investigation steps
 51
 52- Review the source IP address involved in the alert to determine if it belongs to a known or authorized device within the network. Check for any recent changes or unusual activity associated with this IP.
 53- Analyze the destination ports targeted by the scan to identify any patterns or specific services that may be of interest to the attacker. Determine if these ports are associated with critical or vulnerable services.
 54- Examine historical logs to identify any previous scanning activity from the same source IP or similar patterns of behavior. This can help establish whether the activity is part of a larger reconnaissance effort.
 55- Correlate the alert with other security events or alerts to assess if there is a broader attack campaign underway. Look for related alerts that might indicate subsequent exploitation attempts.
 56- Investigate the timing and frequency of the scan attempts to understand if they coincide with other suspicious activities or known attack windows. This can provide context on the attacker's intent and urgency.
 57- Assess the network's current security posture and ensure that appropriate defenses, such as firewalls and intrusion detection systems, are configured to mitigate potential exploitation of identified open ports.
 58
 59### False positive analysis
 60
 61- Internal network scanning tools or scripts used by IT teams for legitimate network mapping can trigger this rule. To manage this, create exceptions for known internal IP addresses or subnets used by IT for network discovery.
 62- Automated monitoring systems or security appliances that perform regular port checks might be flagged. Identify these systems and exclude their IP addresses from the rule to prevent false positives.
 63- Software updates or patch management systems that check multiple ports for service availability can be mistaken for a SYN-based port scan. Whitelist these systems to avoid unnecessary alerts.
 64- Load balancers or network devices that perform health checks across multiple ports may trigger the rule. Exclude these devices from the rule to ensure accurate detection.
 65- Development or testing environments where multiple port scans are part of routine operations can cause false positives. Implement exceptions for these environments to maintain focus on genuine threats.
 66
 67### Response and remediation
 68
 69- Isolate the affected internal IP address to prevent further reconnaissance or potential exploitation of identified open ports.
 70- Conduct a thorough review of firewall and network access control lists to ensure that only necessary ports are open and accessible from internal networks.
 71- Implement rate limiting on SYN packets to reduce the risk of successful port scanning and reconnaissance activities.
 72- Monitor the network for any unusual outbound traffic from the affected IP address, which may indicate further malicious activity or data exfiltration attempts.
 73- Escalate the incident to the security operations team for further analysis and to determine if additional network segments or systems are affected.
 74- Update intrusion detection and prevention systems to enhance detection capabilities for similar SYN-based port scanning activities.
 75- Review and update network segmentation policies to limit the exposure of critical services and systems to internal reconnaissance activities."""
 76
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80[[rule.threat.technique]]
 81id = "T1046"
 82name = "Network Service Discovery"
 83reference = "https://attack.mitre.org/techniques/T1046/"
 84
 85
 86[rule.threat.tactic]
 87id = "TA0007"
 88name = "Discovery"
 89reference = "https://attack.mitre.org/tactics/TA0007/"
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1595"
 94name = "Active Scanning"
 95reference = "https://attack.mitre.org/techniques/T1595/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1595.001"
 98name = "Scanning IP Blocks"
 99reference = "https://attack.mitre.org/techniques/T1595/001/"
100
101
102
103[rule.threat.tactic]
104id = "TA0043"
105name = "Reconnaissance"
106reference = "https://attack.mitre.org/tactics/TA0043/"
107
108[rule.threshold]
109field = ["destination.ip", "source.ip"]
110value = 1
111[[rule.threshold.cardinality]]
112field = "destination.port"
113value = 250