Playbook PB-34: Suspicious Network Discovery
Severity: Medium–High | Category: Discovery | MITRE: T1046, T1135, T1018, T1016, T1049, T1082
Decision Flow
graph TD
Alert["🚨 Scan Detected"] --> Auth{"🔑 Authorized?"}
Auth -->|Pentest/IT admin| Close["✅ Close Alert"]
Auth -->|Unknown| Investigate["🔍 Investigate Source"]
Investigate --> Compromised{"🦠 Compromised Host?"}
Compromised -->|Yes| Isolate["🔌 Isolate + Full IR"]
Compromised -->|No| Block["🚫 Block + Monitor"]
Scan Detection Flow
graph LR
Scanner["📡 Scan"] --> IDS["🛡️ IDS/IPS"]
IDS --> Alert["🚨 SOC Alert"]
Scanner --> Honeypot["🍯 Honeypot"]
Honeypot --> Alert
Alert --> Investigate["🔎 Investigate Source"]
style Scanner fill:#e74c3c,color:#fff
style Honeypot fill:#f39c12,color:#fff
style Alert fill:#c0392b,color:#fff
Honeypot Trigger Flow
sequenceDiagram
participant Attacker
participant Honeypot as 🍯 Honeypot
participant SOC
participant EDR
Attacker->>Honeypot: Port scan / connect
Honeypot->>SOC: 🚨 Alert + source IP
SOC->>EDR: Investigate source host
EDR-->>SOC: Found malware!
SOC->>EDR: Isolate host
Description
An attacker conducts internal reconnaissance to map the network topology, identify live hosts, discover file shares, and enumerate services. This information enables lateral movement, privilege escalation, and data exfiltration. Discovery often follows initial access and precedes lateral movement.
Detection Sources
| Source |
Alert Examples |
| EDR |
Port scanning tools (nmap, Advanced IP Scanner), network enumeration commands |
| SIEM |
High volume of failed connections, ICMP sweeps, SMB share enumeration |
| Network |
Unusual ARP requests, rapid sequential connections to multiple hosts |
| Domain Controller |
LDAP queries for all computers/users, BloodHound activity |
Triage Checklist
| # |
Step |
Action |
| 1 |
Identify the source |
Who is running discovery commands? Normal admin or compromised account? |
| 2 |
Check context |
Is this part of scheduled IT operations (patching, inventory)? |
| 3 |
Review commands |
Look for: net view, net share, nltest, arp -a, nmap, ping sweep, PowerShell AD cmdlets |
| 4 |
Check device |
Is the source a workstation or server? Domain-joined? Expected user? |
| 5 |
Timeline |
When did activity start? Does it correlate with initial access alerts? |
| 6 |
Volume |
How many hosts/ports targeted? Rapid scanning = likely automated |
Response Actions
Tier 1
- Document the source host, user, and commands observed
- Check if user has legitimate reason for network scanning (IT admin, authorized pentest)
- If unauthorized → Escalate to Tier 2
Tier 2
- Investigate the source host for signs of compromise (malware, unauthorized access)
- Check for preceding initial access indicators (phishing click, exploit)
- Search for follow-up activity: lateral movement, credential dumping
- If confirmed malicious:
- Isolate the source host via EDR
- Disable the compromised account
- Block scanning tools via endpoint policy
Tier 3
- Conduct full forensic investigation of the source host
- Map the full attack chain: initial access → discovery → next stages
- Review network segmentation — could the attacker reach critical assets?
- Update detection rules for discovery techniques observed
Containment
| Action |
Method |
Approval |
| Isolate source host |
EDR network isolation |
SOC Lead |
| Disable user account |
Active Directory / IAM |
SOC Lead |
| Block scanning tools |
Application control / EDR policy |
Change request |
| Restrict network access |
Firewall / microsegmentation |
Network team + SOC Lead |
| Enable enhanced logging |
SIEM + EDR verbose mode |
SOC Lead |
Eradication
| # |
Action |
Done |
| 1 |
Remove scanning tools and scripts from endpoint |
☐ |
| 2 |
Kill active scanning processes |
☐ |
| 3 |
Remove persistence mechanisms (scheduled tasks, services) |
☐ |
| 4 |
Reset compromised credentials (if applicable) |
☐ |
| 5 |
Patch exploited vulnerability used for initial access |
☐ |
| 6 |
Clear attacker's cached AD/LDAP query results |
☐ |
IoC Collection
| Type |
Value |
Source |
| Source IP / hostname |
|
EDR / SIEM |
| User account |
|
AD logs |
| Scanning tool name |
|
Process logs |
| Scan targets (IP ranges) |
|
Network logs |
| Commands executed |
|
EDR command history |
| Scan output files |
|
Forensic image |
| Associated malware hash |
|
EDR / sandbox |
| C2 domain (if post-exploitation) |
|
DNS / proxy logs |
Escalation Criteria
| Condition |
Escalate To |
| Scanning from compromised host (malware confirmed) |
Tier 2 + IR Lead |
| Discovery activity followed by lateral movement |
Tier 3 + CISO |
| Domain controller or critical server targeted |
SOC Manager + System Owners |
| BloodHound / SharpHound collection detected |
Tier 3 + AD Security |
| Scanning originates from external IP |
Tier 2 + Network Team |
| > 100 hosts or > 1,000 ports scanned |
SOC Lead |
Recovery
Post-Incident
Key Indicators
| Indicator |
Example |
| Processes |
nmap, masscan, Advanced IP Scanner, arp-scan, nbtscan |
| Commands |
net view /domain, nltest /dclist:, Get-ADComputer, arp -a, nslookup |
| Network |
ICMP sweep, TCP SYN to sequential IPs, excessive SMB (445) connections |
| AD Queries |
LDAP objectCategory=computer, BloodHound's SharpHound collector |
Network Visibility Stack
graph LR
IDS["🛡️ IDS/IPS"] --> SIEM["📊 SIEM"]
NDR["📡 NDR"] --> SIEM
Honeypot["🍯 Honeypot"] --> SIEM
FW["🔥 Firewall"] --> SIEM
SIEM --> SOC["🎯 SOC Alert"]
style IDS fill:#3498db,color:#fff
style NDR fill:#27ae60,color:#fff
style Honeypot fill:#f39c12,color:#fff
style SOC fill:#e74c3c,color:#fff
graph TD
Tools["🔍 Scan Tools"] --> External["🌐 External"]
Tools --> Internal["🏠 Internal"]
External --> Nmap["nmap"]
External --> Masscan["masscan"]
Internal --> NBTScan["nbtscan"]
Internal --> BloodHound["SharpHound"]
Internal --> PowerView["PowerView"]
style External fill:#e74c3c,color:#fff
style Internal fill:#f39c12,color:#fff
Detection Rules (Sigma)
References