Summary (Bottom Line Up Front)
External host 176.116.136.105 conducted SMBv1 protocol enumeration against internal networks on February 27, 2026, between 04:00-05:00 UTC, generating 49 security events over a 5-minute window. This activity represents medium-risk reconnaissance behavior that could precede more sophisticated attacks targeting SMB vulnerabilities. Organizations should immediately audit SMB exposure and disable legacy SMBv1 protocol where possible.
Activity Timeline
UPDATE 12026-03-10T19:09:49Z
Source: Analyst Manual Entry
External host 176.116.136.105 conducted SMBv1 protocol enumeration against internal networks on February 27, 2026, between 04:00-05:00 UTC, generating 49 security events over a 5-minute window. This activity represents medium-risk reconnaissance behavior that could precede more sophisticated attacks targeting SMB vulnerabilities. Organizations should immediately audit SMB exposure and disable legacy SMBv1 protocol where possible.
New findings
- Attack Vector: SMBv1 protocol negotiation attempts on non-standard port 9001
- Volume: 49 events concentrated within 5-minute timeframe indicating automated scanning
- MITRE Technique: T1135 (Network Share Discovery)
- Kill Chain Phase: Reconnaissance
- Protocol Risk: Use of deprecated SMBv1 protocol known for critical vulnerabilities
- IOC: 176.116.136.105 (external reconnaissance source)
- Threat Assessment: Medium confidence (75%) automated enumeration with low zero-day probability (5%)
Recommendations
- Immediately inventory and disable SMBv1 protocol across all Windows systems and network devices
- Block external SMB traffic (ports 139, 445, and non-standard implementations) at network perimeter
- Monitor for follow-on activity from 176.116.136.105 and implement temporary blocking if operationally feasible
- Audit internal SMB shares for unnecessary exposure and implement principle of least privilege access controls
- Deploy enhanced monitoring for SMB-based lateral movement techniques (T1021.002) given demonstrated attacker interest
INITIAL REPORT2026-03-10T17:16:18Z
Source: Analyst Manual Entry
External host 176.116.136.105 conducted SMBv1 protocol enumeration targeting non-standard port 9001 on February 27, 2026 between 04:00-05:00 UTC. This activity represents medium-risk reconnaissance that could precede credential harvesting or lateral movement attempts. Organizations should immediately audit SMB configurations and implement enhanced monitoring for legacy protocol usage.
Technical details
- Attack Vector: SMBv1 protocol negotiation attempts from external IP 176.116.136.105
- Volume: 49 connection events over 5-minute window (04:51-04:56 UTC)
- Protocols: SMB, TCP SYN scanning targeting single destination port
- MITRE Technique: T1135 (Network Share Discovery)
- Kill Chain Phase: Reconnaissance
- IOCs: Source IP 176.116.136.105, SMBv1 protocol usage on non-standard ports
- Risk Assessment: Medium confidence (75%) threat due to deprecated protocol usage and external origin
IOCs
IP:176.116.136.105
Recommendations
- Disable SMBv1 protocol across all network assets and enforce SMBv2/v3 minimum requirements
- Implement network segmentation to restrict SMB traffic to authorized internal subnets only
- Deploy enhanced logging for all SMB connection attempts, particularly from external sources
- Conduct immediate audit of systems listening on non-standard SMB ports (beyond 445/139)
- Block source IP 176.116.136.105 at perimeter firewalls pending further investigation