port_1433_scanning_outbound

Explanation

This NDM detects outbound traffic indicating scanning for open port 1433. This port is commonly used for Microsoft SQL Server and if left open can allow unauthorized access to sensitive data. The NDM triggers when multiple outbound connections are detected to different IP addresses on port 1433.

What to Look For

If this NDM is triggered, examine your network logs for multiple outbound connections to different IP addresses on port 1433. Look for any endpoint activity indicating a possible SQL Server connection being established, including processes, files, or registry keys related to SQL Server. This event can indicate a potential attacker trying to identify SQL Server installations in the network, and should be investigated immediately to prevent unauthorized access to sensitive data.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise