Internal Port Scan - Critical Ports (Windows Event Log)

Group by: _time, host, src_ip
Source: github.com/anvilogic-forge/armory

After gaining an initial foothold, threat actors may attempt to identify services operating on hosts within the network, often using legitimate port scanning software. This use case detects when more than 5 of the following ports have been scanned from a single internal source IP within one minute: 21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 80 (HTTP), 8080 (Alternative HTTP), 139 (NetBIOS/SMB), 389 (LDAP), 443 (HTTPS), 8443 (Alternative HTTPS), 445 (Microsoft-DS/SMB), 3306 (MySQL), 3389 (RDP).

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1046` Network Service Discovery

References

Event coverage

Provider	Event	Title
Security-Auditing	Event ID 5152	The Windows Filtering Platform blocked a packet.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.

Rule body yaml

id: '26208.48343'
title: Internal Port Scan - Critical Ports
description: 'After gaining an initial foothold, threat actors may attempt to identify
  services operating on hosts within the network, often using legitimate port scanning
  software. This use case detects when more than 5 of the following ports have been
  scanned from a single internal source IP within one minute: 21 (FTP), 22 (SSH),
  23 (Telnet), 25 (SMTP), 80 (HTTP), 8080 (Alternative HTTP), 139 (NetBIOS/SMB), 389
  (LDAP), 443 (HTTPS), 8443 (Alternative HTTPS), 445 (Microsoft-DS/SMB), 3306 (MySQL),
  3389 (RDP). '
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=5152) OR
  "<EventID>5152<" OR TERM(EventCode=5156) OR "<EventID>5156<") | where match(src_ip,
  "(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})")
  and match(dest_port, "^(21|22|23|25|80|8080|139|389|443|8443|445|3306|3389)$") and
  not match(process_path, "(?i)\x5csplunkuniversalforwarder\x5cbin\x5csplunkd\.exe")
  | table _time, host, user, signature_id, process, process_*, dest_port, dest_ip,
  src_ip | bin span=60s | stats values(*) as * by _time, host | streamstats dc(dest_port)
  as dc_dest_port by _time, src_ip| where dc_dest_port>5 '
techniques:
- discovery:network service discovery
technique_id: 
- T1046
data_category:
- Windows event logs
references:
- https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/rhysida-ransomware-intrusion.pdf?utm_source=blog&utm_medium=blog&utm_campaign=rhysida-ransomware
- https://www.advanced-port-scanner.com/

Stages and Predicates

Stage 1: `search`

`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=5152) OR "<EventID>5152<" OR TERM(EventCode=5156) OR "<EventID>5156<")

Stage 2: `where`

| where match(src_ip, "(10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})") and match(dest_port, "^(21|22|23|25|80|8080|139|389|443|8443|445|3306|3389)$") and not match(process_path, "(?i)\x5csplunkuniversalforwarder\x5cbin\x5csplunkd\.exe")

Stage 3: `table`

| table _time, host, user, signature_id, process, process_*, dest_port, dest_ip, src_ip

Stage 4: `bucket`

| bin span=60s

Stage 5: `stats`

| stats values(*) as * by _time, host

Stage 6: `streamstats`

| streamstats dc(dest_port) as dc_dest_port by _time, src_ip

Stage 7: `where`

| where dc_dest_port>5

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`process_path`	match	`"(?i)\x5csplunkuniversalforwarder\x5cbin\x5csplunkd\.exe"`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`5152` `5156` corpus 15 (splunk 13, kusto 2)
`dc_dest_port`	gt	`5`
`dest_port`	match	`"^(21\|22\|23\|25\|80\|8080\|139\|389\|443\|8443\|445\|3306\|3389)$"`
`src_ip`	match	`"(10\.\d{1,3}\.\d{1,3}\.\d{1,3}\|172\.(1[6-9]\|2[0-9]\|3[0-1])\.\d{1,3}\.\d{1,3}\|192\.168\.\d{1,3}\.\d{1,3})"`

Search terms

Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.

Stage	Term
1	`TERM`
1	`"<EventID>5152<"`
1	`TERM`
1	`"<EventID>5156<"`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Internal Port Scan - Critical Ports (Windows Event Log)

MITRE ATT&CK coverage

References

Event coverage

Rule body yaml

Stages and Predicates

Stage 1: `search`

Stage 2: `where`

Stage 3: `table`

Stage 4: `bucket`

Stage 5: `stats`

Stage 6: `streamstats`

Stage 7: `where`

Exclusions

Indicators

Search terms

Keyboard shortcuts

Search operators

Internal Port Scan - Critical Ports (Windows Event Log)

MITRE ATT&CK coverage

References

Event coverage

Rule body yaml

Stages and Predicates

Stage 1: search

Stage 2: where

Stage 3: table

Stage 4: bucket

Stage 5: stats

Stage 6: streamstats

Stage 7: where

Exclusions

Indicators

Search terms

Stage 1: `search`

Stage 2: `where`

Stage 3: `table`

Stage 4: `bucket`

Stage 5: `stats`

Stage 6: `streamstats`

Stage 7: `where`