IncidentResponsev2

4.12 Detect Network Vulnerability Scans (SO + SMB + Local + Cloud)

Task

Identify SMB traffic and network vulnerability scanning activities using Security Onion and other data sources. This includes both SMB-based indicators (such as Cobalt Strike SMB P2P) and other network scanning attempts (Nmap, Masscan, Nessus).

---

Conditions

Given:

• A Security Onion server with admin access
• Access to Security Onion Alerts and Hunt dashboards
• Local endpoint access (optional)
• Cloud environment access (optional)

---

Standards

• Login into Security Onion
• Select Alerts on the left panel
• Ensure Alerts are properly configured:
  • Group: rule.name
  • Group: event.module
  • Group: event.severity_label
• Set timeframe for your scan period
• Click on column title event.severity_label to sort alerts
• Search for SMB alert signatures (ex: ET POLICY SMB Executable File Transfer)
• Use Hunt function to analyze SMB traffic patterns
• Expand analysis to broader vulnerability scan detection patterns:
  • Nmap
  • Masscan
  • Nessus
  • Any unusual port sweep / probing patterns
• Investigate findings, determine legitimacy or malicious intent, and document results.

---

End State

All suspicious or unauthorized scanning (SMB + general vulnerability scanning) is detected and validated for legitimacy.

---

Notes

Security Onion is capable of detecting:

• SMB traffic
• Nmap / Masscan / Nessus scanning
• Cobalt Strike and P2P SMB trojan activity
• Slow or stealthy scans via Hunt and advanced queries

---

Manual Steps

Detect SMB Traffic Using Security Onion (Original Repository Steps)

Alerts Workflow

1. Login into Security Onion
2. Select Alerts on the left panel
3. Ensure Alerts are properly configured:
   • Group: rule.name
   • Group: event.module
   • Group: event.severity_label
4. Set timeframe (next to refresh button, use dropdown):
   • Recommended: Last 6 hours or Last 1 day
5. Sort alerts by event.severity_label (High → Low)
6. Search for SMB Alerts (i.e. ET POLICY SMB Executable File Transfer)

Hunt Workflow

1. Left-click the SMB alert → Click “Actions” → Select Hunt
2. Ensure timeframe matches the alert timeframe
3. Clear search bar quotes → leave only SMB
4. Confirm Group: event.module and Group: event.dataset are active (if not, click the down arrow → select | groupby event.module event.dataset)
5. Click Hunt
6. Scroll to Events
7. Sort using rule.name or event.severity_label

Expected result example:

ET TROJAN CobaltStrike SMB P2P Default Msagent Named Pipe Interaction
A Network Trojan was detected → High Severity

---

Detect Network Vulnerability Scans (Expanded Procedure)

Security Onion Alerts → Broader Scan Signatures

Common scan rules to look for:

ET SCAN Nmap Scripting Engine User-Agent Detected
ET SCAN Potential Masscan Activity
ET POLICY Nessus Scan Detected
ET SCAN Possible SQL Scanner

Operator Note: Apply same workflow as SMB for hunting these alerts.

Security Onion Hunt

Example search:

Nmap OR Masscan OR Nessus OR SMB | groupby event.module event.dataset

Review:

• Source IP
• Destination IP ranges
• Number of destination ports

Multiple destinations/ports in a short time → Indicates scanning.

---

Local Host Monitoring (Supplemental)

Windows

Get-NetTCPConnection | Group-Object -Property State

Look for:

• Large SYN_SENT counts → possible scan from this host

Linux/macOS

ss -ant | grep SYN

or

netstat -ant | grep SYN

---

Cloud Monitoring

AWS (GuardDuty + VPC Flow)

Look for GuardDuty Findings:

Recon:EC2/PortProbeUnprotectedPort
Recon:IAMUser/PortProbe

Azure (NSG Flow Logs + Defender for Cloud)

Azure Sentinel query:

AzureNetworkAnalytics_CL
| where FlowType_s == "Inbound"
| summarize count() by SourceIP_s, DestinationPort_s

GCP (Cloud Logging + SCC)

gcloud logging read "resource.type=gce_subnetwork AND jsonPayload.connection.protocol=TCP"

Security Command Center → Reconnaissance → Port Scanning findings

---

Validate and Investigate

For all detections:

• Determine authorized vs unauthorized scans
• Validate IP source and ownership
• Document investigation outcome

---

Running Script

TBD → scripting possible for continuous aggregation and pattern detection.

---

Dependencies

• Security Onion installed and Alerts configured
• Hunt view enabled
• Local administrative access to endpoints (optional)
• Cloud access to GuardDuty / Azure Sentinel / GCP SCC

---

Other Available Tools

Tool	Platform	Installation	Usage
Security Onion (Alerts + Hunt)	Network	Native	Scan + SMB detection
OSSEC / Wazuh	Cross-platform	Package Manager	Port scanning detection
AWS GuardDuty + VPC Flow Logs	AWS	Native	Detect port scanning
Azure Defender + NSG Flow Logs	Azure	Native	Detect port scanning
GCP Security Command Center + Flow Logs	GCP	Native	Detect port scanning
Nmap / Nessus (Red Team / Baseline)	Cross-platform	Native	Detection validation

---

Operator Recommendations and Additional Tools

Operator Checklist

• Confirm Security Onion Alerts properly configured (SMB + Scans)
• Detect SMB alerts (Cobalt Strike, SMB File Transfer)
• Perform SMB Hunt and analyze patterns
• Detect Nmap / Masscan / Nessus alerts
• Perform Hunt for other scan patterns
• Validate and correlate to determine legitimacy
• Review cloud environments for scan patterns
• Document unauthorized activities and escalate

Best Practices

• Detect slow and distributed scan patterns (Hunt → time range + patterning)
• Tag authorized scanner IPs to reduce false positives
• Use automated detection pipelines (SIEM/SOAR integration)
• Perform periodic reviews of scan rule effectiveness

---

References

• Security Onion Alerts
• Security Onion Hunt
• AWS GuardDuty Findings
• Azure Defender for Cloud
• GCP Security Command Center

---

Revision History

Date	Version	Description	Author
2025-05-02	1.1	Rebuilt with original SMB detection + expanded multi-platform scan detection + operator workflow	Leo