Internal Horizontal Port Scan NMAP Top 20

name: Internal Horizontal Port Scan NMAP Top 20
id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
version: 12
creation_date: '2024-07-01'
modification_date: '2026-05-13'
author: Dean Luxton
status: production
type: TTP
description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
data_source:
    - AWS CloudWatchLogs VPCflow
    - Cisco Secure Firewall Threat Defense Connection Event
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
            dc(All_Traffic.dest_ip) as totalDestIPCount
            values(All_Traffic.action) as action
            values(All_Traffic.dest_zone) as dest_zone
            values(All_Traffic.rule) as rule
            values(All_Traffic.src_category) as src_category
            values(All_Traffic.src_port) as src_port
            values(All_Traffic.src_zone) as src_zone
    
    from datamodel=Network_Traffic where
    
    All_Traffic.src_ip IN (
      "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
      "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
      "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
      "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
      "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
    )
    All_Traffic.dest_port IN (
      21, 22, 23, 25, 53, 80, 110, 111,
      135, 139, 143, 443, 445, 993, 995,
      1723, 3306, 3389, 5900, 8080
    )
    
    by span=1h _time
       All_Traffic.src_ip All_Traffic.dest_port
       All_Traffic.transport
    
    | `drop_dm_object_name("All_Traffic")`
    | where totalDestIPCount>=250
    | eval dest_port=transport + "/" + dest_port
    | stats min(firstTime) as firstTime
            max(lastTime) as lastTime
            dc(dest_port) as num_ports_scanned
            sum(totalDestIPCount) as totalDestIPCount
            values(action) as action
            values(dest_port) as dest_ports
            values(dest_zone) as dest_zone
            values(rule) as rule
            values(src_category) as src_category
            values(src_zone) as src_zone
      by _time src_ip
    | fields - _time
    | `security_content_ctime(lastTime)`
    | `security_content_ctime(firstTime)`
    | `internal_horizontal_port_scan_nmap_top_20_filter`
how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls like Cisco Secure Firewall, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for $src_ip$
      search: '%original_detection_search% | search  src_ip = $src_ip$'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for $src_ip$
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
    entity:
        field: src_ip
        type: system
        score: 50
analytic_story:
    - Network Discovery
    - Cisco Secure Firewall Threat Defense Analytics
    - China-Nexus Threat Activity
    - Scattered Lapsus$ Hunters
asset_type: Endpoint
mitre_attack_id:
    - T1046
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: network
tests:
    - name: AWS CloudWatch True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
          source: aws:cloudwatchlogs:vpcflow
          sourcetype: aws:cloudwatchlogs:vpcflow
      test_type: unit
    - name: Cisco Secure Firewall True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer
      test_type: unit