Skip to main content

Outbound TCP port scan indicating hacking tool use or infection

ID:outbound_port_scan
Data type:IP
Severity:
High
MITRE ATT&CK:TA0007:T1046

Description

AlphaSOC has identified an endpoint attempting to connect to multiple IP addresses within the same /20 subnet over a 15 minute period. The connections were made to ports associated with popular services such as RDP, Samba or similar. This pattern of behavior indicates an outbound port scan, which threat actors often use to discover open ports and prepare for an attack.

Impact

Outbound port scanning indicates potential malware infection or compromised system. The infected host may be attempting to spread to other systems on the internet, potentially leading to further infections or participation in botnet activities. This behavior can result in reputational damage, blacklisting of IP addresses or unauthorized access to other systems.

Severity

SeverityCondition
High
Multiple connections indicating port scanning

Investigation and Remediation

Examine the affected endpoint. Review logs and installed software for signs of compromise. Check for unauthorized or suspicious user activity. If malware is suspected, isolate the endpoint and perform a malware scan.

Known False Positives

  • Legitimate network scanning tools used by IT staff for network management
  • Misconfigured applications attempting to connect to multiple endpoints
  • Some peer-to-peer applications may exhibit similar behavior
  • Security software performing routine checks across multiple IP addresses