Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Reconnaissance

Internal Darknet Scan

Internal Darknet Scan
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

The Internal Darknet Scan detection identifies attempts by an internal host to scan IP addresses within the organization's network that are not actively used or publicly advertised (often referred to as "darknet" space). This type of activity is typically associated with reconnaissance efforts to discover hidden or unused network segments that could be leveraged for malicious purposes.

Triggers

  • An internal host has contacted a number of internal IPs that have not been active in the recent past
  • Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active

Root Causes

  • An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
  • A vulnerability scanner or asset discovery system is mapping systems in your network
  • A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services

Business Impact

  • Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior

Steps to Verify

  • Check to see if the detected host should be authorized for network scans
  • Look at the pattern of IP addresses being scanned to determine the intent of the scan
  • If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests
Internal Darknet Scan

Possible root causes

Malicious Detection

  • An attacker inside the network attempting to discover hidden or unused IP addresses that could be used for lateral movement or data exfiltration.
  • Compromised internal host running malware that performs network scanning to identify potential targets within the organization's internal network.
  • Insider threat where an internal user conducts unauthorized network reconnaissance to find unsecured devices or services.

Benign Detection

  • Network administrators performing legitimate network mapping or maintenance activities.
  • Security assessments or vulnerability scans that include probing darknet spaces as part of their methodology.
  • Misconfigured network monitoring tools generating traffic that resembles darknet scans.
Internal Darknet Scan

Example scenarios

Scenario 1: An internal host generates a high volume of scan probes targeting a range of IP addresses within the darknet space. Investigation reveals that the host is compromised, and the attacker is mapping the network to identify potential targets for lateral movement.

Scenario 2: A sudden spike in network traffic is detected, originating from a security team's vulnerability scanner. Verification with the IT department confirms that the activity is part of a scheduled security assessment, and the detected behavior is legitimate.

Internal Darknet Scan

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Exposure of Hidden Assets

Discovery and exploitation of hidden or unused network segments can lead to unauthorized access to sensitive data or systems.

Increased Risk of Lateral Movement

Attackers can use information gathered from darknet scans to move laterally within the network, escalating privileges and accessing critical resources.

Potential Operational Disruption

High volumes of scan traffic can cause network congestion and impact the performance of legitimate network operations.

Internal Darknet Scan

Steps to investigate

Review Network Traffic Logs

Analyze logs to identify the source of the scan probes and the targeted IP addresses. Look for patterns and repeated attempts.

Identify the Source

Determine the internal host generating the darknet scan traffic. Verify if the host and user are authorized to perform such actions.

Check for Associated Activity

Look for other signs of compromise or suspicious behavior linked to the scanning host, such as malware alerts, unusual login attempts, or data exfiltration activities.

Consult with IT and Security Teams

Confirm if any legitimate network mapping, security assessments, or maintenance activities could explain the detected darknet scan behavior.

Internal Darknet Scan

MITRE ATT&CK techniques covered

System Information Discovery

T1082

Remote System Discovery

T1018

Software Deployment Tools

T1072

Network Service Discovery

T1046

System Network Configuration Discovery

T1016
Internal Darknet Scan

Related detections

SMB Account Scan

Kerberos Account Scan

Suspicious Port Scan

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is an Internal Darknet Scan?

An Internal Darknet Scan involves probing internal IP addresses within a network that are not actively used or publicly advertised, typically as part of reconnaissance efforts to discover hidden or unused network segments.

What are the common signs of an Internal Darknet Scan?

Common signs include multiple scan probes to unassigned IP addresses, high volumes of connection attempts to dark network segments, and unusual network traffic patterns.

Can legitimate software trigger this detection?

Yes, network mapping, security assessments, and misconfigured network monitoring tools can generate traffic that resembles darknet scans.

How does Vectra AI identify Internal Darknet Scans?

Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic patterns and identify anomalies indicative of darknet scanning activities.

What is the business impact of an Internal Darknet Scan?

It can lead to exposure of hidden assets, increased risk of lateral movement, and potential operational disruption due to high volumes of scan traffic.

How can I detect an Internal Darknet Scan in my network?

Detect Internal Darknet Scans by monitoring for scan probes to IP addresses within the darknet space, high volumes of connection attempts from single sources, and unusual traffic patterns involving non-active network segments.

Why are Internal Darknet Scans a significant threat?

They can reveal hidden or unused network assets that may be exploited by attackers, leading to unauthorized access, lateral movement, and potential data breaches.

What steps should I take if I detect an Internal Darknet Scan?

Investigate the source and scope of the scan activity, check for associated suspicious behaviors, review logs, and consult with IT and security teams to verify if the activity is legitimate.

What tools can help verify the presence of an Internal Darknet Scan?

Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious internal darknet scan activities.

How can I prevent Internal Darknet Scans?

Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.