Introduction A client contacted us following an alert triggered by their Network Detection and Response sensor (NDR), which flagged suspicious network behavior originating from a server within their internal network. The detected activity resembled a port scan, suggesting that the server might have been compromised and was possibly being exploited by an attacker for initial reconnaissance. What added to the concern was the specific choice of ports scanned during the activity.
