Summary (Bottom Line Up Front)
External threat actor at 115.186.190.88 conducted SMB1 protocol reconnaissance targeting non-standard port 9001 on February 28, 2026 around 11:00 UTC. This activity represents HIGH-risk reconnaissance likely preparing for SMB-based exploitation using deprecated protocol vulnerabilities. Immediate defensive measures recommended to block this IP and audit SMB configurations.
Activity Timeline
INITIAL REPORT2026-03-17T23:49:38Z
Source: Analyst Manual Entry
External threat actor at 115.186.190.88 conducted SMB1 protocol reconnaissance targeting non-standard port 9001 on February 28, 2026 around 11:00 UTC. This activity represents HIGH-risk reconnaissance likely preparing for SMB-based exploitation using deprecated protocol vulnerabilities. Immediate defensive measures recommended to block this IP and audit SMB configurations.
Technical details
Attack Vector: SMB1 protocol negotiation attempts on TCP port 9001
Volume: 24 events over 4-minute window (10:00-11:00 UTC)
MITRE Technique: T1046 (Network Service Scanning)
Kill Chain Phase: Reconnaissance
Key Indicators: Use of deprecated SMB1 protocol combined with non-standard port targeting suggests evasion tactics
IOCs: 115.186.190.88 (source IP)
IOCs
IP:115.186.190.88
Recommendations
- Block IP address 115.186.190.88 at network perimeter and document for threat hunting
- Audit all SMB services to ensure SMB1 is disabled and only SMB2/3 protocols are enabled
- Review firewall rules to restrict SMB traffic to authorized ports and internal networks only
- Monitor for additional SMB1 usage patterns across the environment using network detection capabilities
- Implement enhanced logging for SMB protocol negotiations to detect similar reconnaissance attempts