Docs

synscan_internal_external

Suggest Edits

Explanation

The synscan_internal_external NDM detects SYN scanning activity exiting the network. This event is triggered when an internal IP is found to be scanning external IPs via multiple SYN packets.

What to Look For

To properly examine the results of the synscan_internal_external NDM, you should check for activity on both the network and endpoint. On the network, look for a large number of SYN packets being sent from a single external IP address to multiple internal IPs. On the endpoint, look for any unusual activity or processes running that could be related to the scanning activity. You should take immediate action to remediate any detected scanning activity to prevent potential network vulnerabilities.

Related MITRE ATT&CK Categories

Network Service Discovery, Technique T1046 - Enterprise

Active Scanning, Technique T1595 - Enterprise

Updated 4 days ago