An endpoint is performing
an unusually large number of successful connections to susceptible
ports on one or more remote endpoints.
ports used by servers that might be used by attackers for a number
of malicious reasons.
The detector assumes normal users do
not initiate a large number of connections to specific destinations
on susceptible ports, and that a large number of users are not initiating
multiple sessions to those ports on a routine basis.
This alert could indicate
any of the following:
An attacker is scraping data
services for useful data.
The attacker might be seeking authentication credentials
using a brute force username and password attack against the service.
The attacker might be using fuzz testing to look for vulnerabilities
on the remote endpoint. Fuzz testing sends unexpected, invalid,
and/or random data to software. In this context, the attacker is
likely using the fuzzer in an attempt to discover buffer overflow
vulnerabilities in the server.
identify the source endpoint, process running the scan, and process
owner, to determine who or what is performing the network activity.
Examine the endpoint profile to identify the process that
is being used for the suspicious connections.