EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Internal Horizontal Port Scan NMAP Top 20

This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.

MITRE ATT&CK

T1046

Detection Query

| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
        dc(All_Traffic.dest_ip) as totalDestIPCount
        values(All_Traffic.action) as action
        values(All_Traffic.dest_zone) as dest_zone
        values(All_Traffic.rule) as rule
        values(All_Traffic.src_category) as src_category
        values(All_Traffic.src_port) as src_port
        values(All_Traffic.src_zone) as src_zone

from datamodel=Network_Traffic where

All_Traffic.src_ip IN (
  "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
  "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
  "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
  "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
  "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
All_Traffic.dest_port IN (
  21, 22, 23, 25, 53, 80, 110, 111,
  135, 139, 143, 443, 445, 993, 995,
  1723, 3306, 3389, 5900, 8080
)

by span=1h _time
   All_Traffic.src_ip All_Traffic.dest_port
   All_Traffic.transport

| `drop_dm_object_name("All_Traffic")`
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(firstTime) as firstTime
        max(lastTime) as lastTime
        dc(dest_port) as num_ports_scanned
        sum(totalDestIPCount) as totalDestIPCount
        values(action) as action
        values(dest_port) as dest_ports
        values(dest_zone) as dest_zone
        values(rule) as rule
        values(src_category) as src_category
        values(src_zone) as src_zone
  by _time src_ip
| fields - _time
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `internal_horizontal_port_scan_nmap_top_20_filter`

Author

Dean Luxton

Created

2026-03-10

Data Sources

AWS CloudWatchLogs VPCflowCisco Secure Firewall Threat Defense Connection Event

Tags

Network DiscoveryCisco Secure Firewall Threat Defense AnalyticsChina-Nexus Threat ActivityScattered Lapsus$ Hunters
Raw Content
name: Internal Horizontal Port Scan NMAP Top 20
id: 3141a041-4f57-4277-9faa-9305ca1f8e5b
version: 10
date: '2026-03-10'
author: Dean Luxton
status: production
type: TTP
data_source:
    - AWS CloudWatchLogs VPCflow
    - Cisco Secure Firewall Threat Defense Connection Event
description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
search: |
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime
            dc(All_Traffic.dest_ip) as totalDestIPCount
            values(All_Traffic.action) as action
            values(All_Traffic.dest_zone) as dest_zone
            values(All_Traffic.rule) as rule
            values(All_Traffic.src_category) as src_category
            values(All_Traffic.src_port) as src_port
            values(All_Traffic.src_zone) as src_zone

    from datamodel=Network_Traffic where

    All_Traffic.src_ip IN (
      "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
      "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
      "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
      "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
      "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
    )
    All_Traffic.dest_port IN (
      21, 22, 23, 25, 53, 80, 110, 111,
      135, 139, 143, 443, 445, 993, 995,
      1723, 3306, 3389, 5900, 8080
    )

    by span=1h _time
       All_Traffic.src_ip All_Traffic.dest_port
       All_Traffic.transport

    | `drop_dm_object_name("All_Traffic")`
    | where totalDestIPCount>=250
    | eval dest_port=transport + "/" + dest_port
    | stats min(firstTime) as firstTime
            max(lastTime) as lastTime
            dc(dest_port) as num_ports_scanned
            sum(totalDestIPCount) as totalDestIPCount
            values(action) as action
            values(dest_port) as dest_ports
            values(dest_zone) as dest_zone
            values(rule) as rule
            values(src_category) as src_category
            values(src_zone) as src_zone
      by _time src_ip
    | fields - _time
    | `security_content_ctime(lastTime)`
    | `security_content_ctime(firstTime)`
    | `internal_horizontal_port_scan_nmap_top_20_filter`
how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as firewalls like Cisco Secure Firewall, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to enable this search effectively.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for $src_ip$
      search: '%original_detection_search% | search  src_ip = $src_ip$'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for $src_ip$
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs
    risk_objects:
        - field: src_ip
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Network Discovery
        - Cisco Secure Firewall Threat Defense Analytics
        - China-Nexus Threat Activity
        - Scattered Lapsus$ Hunters
    asset_type: Endpoint
    mitre_attack_id:
        - T1046
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: AWS CloudWatch True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log
          source: aws:cloudwatchlogs:vpcflow
          sourcetype: aws:cloudwatchlogs:vpcflow
    - name: Cisco Secure Firewall True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer