Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Seeing multiple instances of 'InBoundHostVerticalPortScan' on domain controllers.

Copper Contributor

While going through the timeline of a domain controller in Defender, I came across multiple occurrences of  'InBoundHostVerticalPortScan' events which seemed suspicious. Searching for this event indicates this was seen sourcing from multiple internal hosts. This event seems to look for multiple connection attempts to ports from a source IP within a time threshold which is what I’m seeing for the  dns.exe(dns resolution), lsass.exe(authentication), svchost.exe -k RPCSS(network services) processes. 
Can I get a confirmation if this is correct  ? Is it possible to know what criteria is being used to generate  the event as the activity itself doesn't seem like a vertical port scan. As we are seeing a single port on the domain controller(for e.g. port 53 for dns.exe) being accessed by multiple hosts for the events generated. I have included an event screenshot for reference. 

1 Reply

HI @Princely  - Were you able to figure this out?  Seeing something similar on one of my endpoints.