Tactic: Reconnaissance

Suspicious Network Tool Launched Inside A Container

Apr 10, 2025 · Domain: Container OS: Linux Use Case: Threat Detection Tactic: Discovery Tactic: Command and Control Tactic: Reconnaissance Data Source: Elastic Defend Resources: Investigation Guide ·

Share on:

This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.

Deprecated - Suspicious Network Tool Launched Inside A Container

Mar 14, 2025 · Data Source: Elastic Defend for Containers Domain: Container OS: Linux Use Case: Threat Detection Tactic: Discovery Tactic: Command and Control Tactic: Reconnaissance Resources: Investigation Guide ·

Share on:

This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.

Potential Network Scan Detected

Feb 28, 2025 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: PAN-OS Resources: Investigation Guide ·

Share on:

This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule defines a threshold-based approach to detect connection attempts from a single source to a wide range of destination ports.

Potential Network Sweep Detected

Feb 28, 2025 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: PAN-OS Resources: Investigation Guide ·

Share on:

This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule defines a threshold-based approach to detect multiple connection attempts from a single host to numerous destination hosts over commonly used network services.

Potential SYN-Based Port Scan Detected

Feb 28, 2025 · Domain: Network Tactic: Discovery Tactic: Reconnaissance Use Case: Network Security Monitoring Data Source: PAN-OS Resources: Investigation Guide ·

Share on:

This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule defines a threshold-based approach to detect connection attempts from a single source to a large number of unique destination ports, while limiting the number of packets per port.