Tactic: Reconnaissance

Potential Network Scan Detected

Sep 19, 2024 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: Elastic Defend Data Source: PAN-OS ·

Share on:

This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.

Potential Network Sweep Detected

Sep 19, 2024 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: Elastic Defend Data Source: PAN-OS ·

Share on:

This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.

Potential SYN-Based Network Scan Detected

Sep 19, 2024 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: Elastic Defend Data Source: PAN-OS ·

Share on:

This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.

Suspicious Network Tool Launched Inside A Container

May 22, 2024 · Data Source: Elastic Defend for Containers Domain: Container OS: Linux Use Case: Threat Detection Tactic: Discovery Tactic: Command and Control Tactic: Reconnaissance ·

Share on:

This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.