Explanation

rstscan is a detection model that identifies RST scanning activity on the network. RST scanning is a technique used by attackers to probe for open ports on a target system. This activity involves sending a TCP RST (reset) packet to a range of IP addresses and ports to determine which are closed or filtered.

What to Look For

To examine the results of the rstscan event, look for unusually high numbers of TCP RST packets being sent from a single IP address to a range of IP addresses and ports. This may indicate that an attacker is attempting to identify vulnerable systems on your network. Check your firewall logs for any unusual patterns of RST packets.

On the endpoint, look for evidence of scanning activity, such as installed network scanning tools or open ports on your system that you are not aware of. Close any unnecessary ports and remove any unauthorized software to mitigate the risk of a successful attack.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise