Cyberattack Bulletin: Defending Against Codefinger Ransomware in AWS S3 >

Cyberattack Bulletin:  Defending Against Codefinger Ransomware in AWS S3 >

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Suspicious Port Scan

Suspicious Port Scan
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The Suspicious Port Scan detection occurs when a host systematically probes multiple ports on one or more remote systems. This behavior is commonly associated with reconnaissance activities, where attackers or automated scripts attempt to identify open ports and services that can be exploited. While port scanning is sometimes performed for legitimate reasons, such as network troubleshooting or inventory management, it is also a well-known tactic used by adversaries to gather intelligence on potential targets before launching an attack.

Triggers

  • An internal host has attempted contact with many ports on a small number of internal IP addresses

Possible Root Causes

  • An infected internal system that is part of a targeted attack is trying to locate any services which may be active on a small number of hosts by attempting connections on different ports on one or more IP addresses
  • An IT-run vulnerability scanner or asset discovery system is mapping out system services on a host
  • The detected host is communicating with another host using a peer-to-peer protocol and the traffic configuration on the switch is only supplying one direction of the traffic to the Vectra sensor

Business Impact

  • Reconnaissance of individual systems may represent the beginning of a targeted attack in your network
  • If the system being scanned is an important or critical asset, any unauthorized scan should be treated with utmost suspicion
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters

Steps to Verify

  • Check to see if the detected host is authorized to perform port scans on the target hosts
  • Look at the pattern of ports being scanned to try to determine what the detected host may be searching for
  • If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further
Suspicious Port Scan

Possible root causes

Malicious Detection

Attackers use port scanning to identify open services and vulnerabilities within a network. By mapping out available services, adversaries can determine the best attack vectors, such as outdated software, misconfigured services, or weak authentication mechanisms. Cybercriminals, ransomware operators, and advanced persistent threats (APTs) all rely on reconnaissance techniques like port scanning as an essential step in their attack lifecycle. Once a vulnerable service is found, attackers can exploit it to gain unauthorized access, deploy malware, or escalate privileges.

Benign Detection

Not all port scanning activity is malicious. Network administrators, security teams, and automated IT tools may conduct scans for legitimate purposes, such as vulnerability assessments, asset inventory, or compliance checks. Organizations frequently use security tools like Nmap or Nessus to assess their network’s exposure and identify weak points before attackers do. Additionally, some software applications may periodically scan network ports to discover services for configuration or integration purposes.

Suspicious Port Scan

Example scenarios

Suspicious Port Scan

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Increased risk of exploitation

If an attacker successfully identifies open ports with vulnerable services, they may exploit them to gain unauthorized access, potentially leading to data breaches or system compromise.

Operational disruptions

Port scanning at scale can strain network resources, trigger security defenses, and cause interruptions in legitimate business operations if defensive measures block critical services.

Compliance and regulatory concerns

Unmonitored or unauthorized scanning activity within an organization can indicate potential security gaps, leading to non-compliance with security frameworks such as NIST, ISO 27001, or GDPR.

Suspicious Port Scan

Steps to investigate

Identify the source of the scan

Determine the IP address or hostname responsible for the scanning activity. Verify whether it originates from an internal system, a known business partner, or an external entity.

Assess scan methodology and targets

Review logs to understand the scanning technique used (e.g., TCP vs. UDP scans) and analyze which systems and ports were targeted. This can help distinguish between benign and malicious intent.

Correlate with other suspicious activity

Look for related detections, such as brute-force attempts, abnormal authentication behavior, or malware alerts, to identify if the scan is part of a larger attack campaign.

Verify legitimate network scanning

Check with IT and security teams to determine whether the scanning activity is part of an approved vulnerability assessment or routine network monitoring task.

Suspicious Port Scan

MITRE ATT&CK techniques covered

System Information Discovery

T1082

Remote System Discovery

T1018

Software Deployment Tools

T1072

Network Service Discovery

T1046

System Network Configuration Discovery

T1016
Suspicious Port Scan

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs