Hey everyone! I ran into a weird issue today where two of my Windows VMs started performing port scans on our network. Our honeypot caught them scanning for services like RDP, SSH, TELNET, and SMB. I've done a complete scan with SentinelOne and checked for any recently modified files and event viewer logs, but I can't seem to pinpoint the cause of this behavior. I'm looking for any tips or steps I could take to figure this out. Thanks in advance!
1 Answer
It sounds like a good idea to build new VMs from an automated setup and archive the old ones for further investigation. The specific services being scanned suggests someone might have intentionally set this up. It’s worth considering if it was an internal scanning tool or something external. Meanwhile, you should closely examine the entire environment and address any delayed software updates or maintenance windows you might have overlooked.
Agreed, it’s better to start fresh if you're unsure about the old VMs. Plus, archiving them might give you some insights later.