# port\_1433\_scanning\_outbound

**Explanation**

This NDM detects outbound traffic indicating scanning for open port 1433. This port is commonly used for Microsoft SQL Server and if left open can allow unauthorized access to sensitive data. The NDM triggers when multiple outbound connections are detected to different IP addresses on port 1433.

**What to Look For**

If this NDM is triggered, examine your network logs for multiple outbound connections to different IP addresses on port 1433. Look for any endpoint activity indicating a possible SQL Server connection being established, including processes, files, or registry keys related to SQL Server. This event can indicate a potential attacker trying to identify SQL Server installations in the network, and should be investigated immediately to prevent unauthorized access to sensitive data.

**Related MITRE ATT\&CK Categories**

[Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046)

[Reconnaissance: Active Scanning, Technique T1595 - Enterprise](https://attack.mitre.org/techniques/T1595)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_1433_scanning_outbound.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.