Triggers
- An internal host is sending very similar payloads to several internal targets
- This may be the result of an infected host sending one or more exploits to other hosts in an attempt to infect them
Possible Root Causes
- An infected host which is part of a botnet is trying to expand the botnet’s footprint by infecting additional hosts
- An infected host which is taking part in a targeted attack is trying to spread laterally in an effort to get closer to data it wants to exfiltrate
- An agent on the host is utilizing unusual techniques to discover an available service
Business Impact
- Internal spreading of botnet-related malware often is repeated by the next infected host, thus mimicking a computer worm and rapidly infecting all possible hosts
- A wide scale spread of botnet-related malware will incur significant remediation costs
- Lateral spread which is part of a targeted attack makes the attack more resilient and gets it closer to your crown jewels
Steps to Verify
- Look at the protocol and port listed in the detection to determine what network service is being exploited
- Determine if there’s any reason for this host to be communicating these services on the listed targets
- Try to ascertain what software on this host would emit the traffic being seen
- Examine the packet capture file to see if this appears to be a network discovery attempt