Internal Port Scan Zenmap Masquerading as empty.exe Caught Scanning Hosts | LetsDefend SOC118
Day 108 of Becoming a SOC Analyst — SOC118 Internal Port Scan Activity (True Positive)
empty.exe executed on host Katie (172.16.17.35) and initiated a port scan against internal host 172.16.17.45 targeting ports 21, 22, 443, and 445. File hash analysis confirmed the binary is Zenmap — the Nmap GUI — renamed and executed from C:\Program Files (x86)\Nmap, a classic masquerading technique to blend legitimate tooling into normal process activity. Scan was blocked by security controls, no further activity observed, but the renamed execution and internal recon intent make this a clear true positive.
🔬 Analysis Reports
🦠 VirusTotal → https://www.virustotal.com/gui/file/e...
Scenario sourced from LetsDefend.io — one of the best hands-on SOC analyst training platforms out there.
Highly recommend if you're on the same path. I'm documenting every day of my journey to landing a Level 1 SOC Analyst role — the wins, the grinds, and everything in between.
00:00 Day 108 intro
00:20 Alert Details
00:50 Investigation
06:00 Playbook Answers
09:20 5w Log
13:00 Result
🔵 What I Cover
Threat Detection · Alert Triage · SIEM Analysis · Log Analysis · Incident Response · Blue Team Tools
🚨 Open to Work — Seeking a Level 1 SOC Analyst role in Melbourne or Remote (AU)
📂 Portfolio → inksec.io
💼 LinkedIn → linkedin.com/in/tate-pannam-8b64b23a3
If you chose the red pill... 0x74617465.sh
#SOCAnalyst #BlueTeam #Cybersecurity #PortScan #Nmap #Zenmap #Masquerading #NetworkRecon #IncidentResponse #SIEM #Day108 #CyberSecurityJourney #Melbourne #LetsDefend #LetsDefendSOC #ThreatHunting #InfoSec #BlueTeamSecurity