8000_scan_external_internal

Explanation

This NDM is designed to detect scanning for port 8000 that is hitting the customer’s network from the Internet. Port 8000 has been used by numerous technologies as an alternative HTTP/HTTPS port.

What to Look For

Scanning activity on the Internet is quite commonplace. On must networks, port 8000 should not be exposed to the Internet.

Related MITRE ATT&CK Categories

Reconnaissance: Active Scanning, Technique T1595 - Enterprise