Detecting Port Scanning Activity

Using endpoint logs to track down compromised hosts

When attackers gain an initial foothold within an environment they’ll inevitably start looking to perform some sort of lateral movement techniques to achieve their objectives. Attackers will likely start this process through a series of ping sweeps and port scans.

This post assumes you’re lucky enough to be collecting endpoint TCP connection logs from tools like Sysmon, or popular EDR solutions. These logs can be very noisy but can be very helpful when tracking down lateral movement from…