port_445_scanning_internal

Explanation

The port_445_scanning_internal event is triggered when a source IP is scanning internal networks for port 445, which is commonly used by Windows for file and printer sharing. This type of scanning activity often indicates attempts to exploit known vulnerabilities or to spread malware within the network.

What to Look For

To examine the results of the port_445_scanning_internal event, look for any source IPs that have been detected as scanning internal networks for port 445. It is important to investigate these IPs to determine if they are compromised or if they are performing legitimate scanning activity. Endpoint analysis should also be conducted to determine if any systems have been compromised and what actions need to be taken to remediate the issue. It is recommended that the affected systems be isolated from the network and patched or updated to prevent further spread of malware or exploitation.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise