T1046 Network Service Discovery
T1036 Masquerading
The alert SOC118 Internal Port Scan Activity triggered after execution of empty.exe on host Katie. Analysis of the file hash confirms it is Zenmap, a graphical interface for Nmap. The binary was renamed to empty.exe and executed from C colon slash Program Files x86 slash Nmap, indicating possible obfuscation. Logs show the process initiated a port scan against internal host 172 dot 16 dot 17 dot 45 targeting ports 21 22 443 and 445 before being blocked.
Feb 06 2021 03:40 PM
Host Katie 172 dot 16 dot 17 dot 35 executed empty.exe and scanned internal host 172 dot 16 dot 17 dot 45
The alert was triggered due to detection of internal port scanning activity. Although Zenmap is a legitimate tool, its renamed execution and use to scan internal infrastructure indicates suspicious behavior consistent with reconnaissance. The scan was blocked by security controls and no further activity was observed. The activity is classified as a true positive reconnaissance attempt with no further containment required
🔬 Analysis Reports 🦠 VirusTotal → https://www.virustotal.com/gui/file/eb0254bcd34a9db914edd063b89f02d5e8a646ac35339f92216a0a34aa923174