How to detect port scan on SIEM within LAN or same Network?

Question

Let's suppose a host machine in the client environment has been infected and its performing port scanning on other machine within the LAN or same Network without passing through Firewall:

1. On what basis we can write an Alert in SIEM Tool to catch this port scanning.
2. Window machine logged these kind of activity or not. If yes where I can find the logs?

Basically if the event is happening across firewall we can write an Alert based on firewall,but If this activity is happening within the LAN then how to detect it?

When the infected machine tries to send the details to attacker how can we get hold of it?

As communication can occur through mail by WORM or through high level port which the client might be using for some other service.

Answer 1

Every connection within your LAN must go through a router or switch. Some routers allow access control lists, which can block/allow connections to specific ports and services. Each host may also implement internal firewall rules to only broadcast a service to specific hosts, this however, means more management and operational overhead. Another option is to have a NIDS monitor for these sort of things. (Here is how to do it in snort)

Remember that a port scan is not the only way to find out which services does the infected machine access, by just listening to the open connections for a period of time, the virus/trojan/malware can gather which machines within your network are accessed and on which ports, not a 100% sure approach but helpful nonetheless.

Answer 2

"Let's suppose a host machine in the client environment has been infected and its performing port scanning on other machine within the LAN or same Network without passing through Firewall:"

Typically, if a host within your environment gets infected, it's not going to be port scanning other devices on your LAN. At least in my experience. It's typically going to be reaching out to an external destination (command and control server).

"On what basis we can write an Alert in SIEM Tool to catch this port scanning. Window machine logged these kind of activity or not. If yes where I can find the logs? Basically if the event is happening across firewall we can write an Alert based on firewall,but If this activity is happening within the LAN then how to detect it?"

It may help to list the actual SIEM that you're using. Typically, you can use regular expressions to detect activity that you're interested in. So you may specify a particular port that you're interested in, or you could detect a port sweep by defining the different hosts that you're concerned with and the port. There are multiple ways to look for this type of activity and it may differ by SIEM. I don't think the Windows Event logs will show you this type of activity.

"When the infected machine tries to send the details to attacker how can we get hold of it? As communication can occur through mail by WORM or through high level port which the client might be using for some other service."

I'm not 100% sure what you're asking here, but if you detect a host on your network that's sending out abnormal traffic, you should triage from there and perform incident response. If you're trying to detect abnormal outbound mail traffic, then look for massive amounts of outbound activity on 25.

I hope this helps.

Answer 3

Compromised devices on your network may scan the rest of your network, this will allow the attacker to find further vulnerabilities and pivot around your network. If a machine is performing a scan on its own network segment and the scanning activity is never leaving that network segment, then detection by a SIEM will depend on how that network segment is configured to collecting logs and forward them either directly to the SIEM or to a central location that will connect to the SIEM.

In general most SIEM solutions will have connectors or parsers that automatically collect logs for things like port scans without a great deal of configuration being required, these logs may be from a central repository that collects the all the host based Windows firewall logs (or other 3rd party host based firewall logs, or something similar) and then parse them into the SIEM. The exact topology can vary depending on what is required. All the standard TCP or UDP scanning techniques should be easily recognized by the SIEM and come with the build in content.

Ideally assets with high criticality will be tied down with strict ACL’s so that any anomalous behaviour will be easily spotted by simply configuring a rule saying; If any highly critical device receives any layer 4 traffic from any asset that it is not supposed to, fire a rule which will generate an alert. Depending on the SIEM tool you are using will depend on how you go about this.

For a general ‘catch all windows port scanning’, the filter for detecting the port scan should look something like the following;

Device Vendor = Microsoft
Device Product = Windows
Category Behaviour = Port Scan (TCP segments with certain flag settings on N+ ports)
Category Outcome = Success OR Failure (TCP Connection complete or not)
Device type != Firewall

Aggregate if the following is true

Target port = unique (Each port should be unique, i.e port 80, 8080, 443, 22 etc)

Attacker address = identical (All traffic originating from the same IP)

Attacker zone = identical (This can be a tag you have configured in your SIEM to UID heterogeneous areas of your environment('s))

Target address = range of IP address (a VLAN for example)

You can then write a rule that says on every event or any N number of correlated events matching the criteria of the filter generate an alert.

Disclaimer: This rule is really for explanation purposes and is likely generate a lot of noise and false positives, so it will require a great deal of tuning and testing to ensure it is harmonious and tailored to your environment. Additionally there are many differing ways to achieve the same result, but this is how I would personally tackle this problem.