Outbound TCP port scan indicating hacking tool use or infection
Description
AlphaSOC has identified an endpoint attempting to connect to multiple IP addresses within the same /20 subnet over a 15 minute period. The connections were made to ports associated with popular services such as RDP, Samba or similar. This pattern of behavior indicates an outbound port scan, which threat actors often use to discover open ports and prepare for an attack.
Impact
Outbound port scanning indicates potential malware infection or compromised system. The infected host may be attempting to spread to other systems on the internet, potentially leading to further infections or participation in botnet activities. This behavior can result in reputational damage, blacklisting of IP addresses or unauthorized access to other systems.
Severity
Severity | Condition |
---|---|
High | Multiple connections indicating port scanning |
Investigation and Remediation
Examine the affected endpoint. Review logs and installed software for signs of compromise. Check for unauthorized or suspicious user activity. If malware is suspected, isolate the endpoint and perform a malware scan.
Known False Positives
- Legitimate network scanning tools used by IT staff for network management
- Misconfigured applications attempting to connect to multiple endpoints
- Some peer-to-peer applications may exhibit similar behavior
- Security software performing routine checks across multiple IP addresses