• An internal host is sending very similar payloads to several internal targets
  • This may be the result of an infected host sending one or more exploits to other hosts in an attempt to infect them

Possible Root Causes

  • An infected host which is part of a botnet is trying to expand the botnet’s footprint by infecting additional hosts
  • An infected host which is taking part in a targeted attack is trying to spread laterally in an effort to get closer to data it wants to exfiltrate
  • An agent on the host is utilizing unusual techniques to discover an available service

Business Impact

  • Internal spreading of botnet-related malware often is repeated by the next infected host, thus mimicking a computer worm and rapidly infecting all possible hosts
  • A wide scale spread of botnet-related malware will incur significant remediation costs
  • Lateral spread which is part of a targeted attack makes the attack more resilient and gets it closer to your crown jewels

Steps to Verify

  1. Look at the protocol and port listed in the detection to determine what network service is being exploited
  2. Determine if there’s any reason for this host to be communicating these services on the listed targets
  3. Try to ascertain what software on this host would emit the traffic being seen
  4. Examine the packet capture file to see if this appears to be a network discovery attempt