Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An internal cloud resource attempted to connect to the same destination port of multiple external IP addresses.
This may be a result of the cloud resource being hijacked by an attacker.
Attackers perform port scans on a specific destination port for reconnaissance purposes, to detect known vulnerable services that accept connections in the specific port, and perform targeted attacks against them.
Attacker's Goals
Detect vulnerable services, which listen on known ports and are opened to the Internet.
Investigative actions
- Check if similar activity was performed on additional cloud resources.
- Check if similar activity was performed against additional ports and external ip addresses from the same cloud resource.
- Check which process triggered the port scanning activity and for what purpose.