connscan
Explanation
The connscan NDM detects connection scanning attempts on the network. It does this by monitoring for a high rate of connection attempts, which may indicate an attacker attempting to discover available services or potential vulnerabilities on network devices. The NDM triggers when it detects a threshold of connection attempts within a certain time period.
What to Look For
If the connscan NDM is triggered, network administrators should examine the source and destination IP addresses, as well as the ports and protocols involved in the connection attempts. They should also look for any patterns or trends over time, such as a sudden increase in connection attempts from a particular IP address. Endpoint agents should be checked for any sign of malicious activity or malware, particularly if the connection scanning is originating from within the network. Remediation should involve blocking the offending IP addresses and investigating any vulnerabilities or misconfigurations that may have allowed the scanning to occur.
Related MITRE ATT&CK Categories
Updated 20 days ago