# port\_445\_scanning\_internal **Explanation** The port\_445\_scanning\_internal event is triggered when a source IP is scanning internal networks for port 445, which is commonly used by Windows for file and printer sharing. This type of scanning activity often indicates attempts to exploit known vulnerabilities or to spread malware within the network. **What to Look For** To examine the results of the port\_445\_scanning\_internal event, look for any source IPs that have been detected as scanning internal networks for port 445. It is important to investigate these IPs to determine if they are compromised or if they are performing legitimate scanning activity. Endpoint analysis should also be conducted to determine if any systems have been compromised and what actions need to be taken to remediate the issue. It is recommended that the affected systems be isolated from the network and patched or updated to prevent further spread of malware or exploitation. **Related MITRE ATT\&CK Categories** [Discovery: Network Service Discovery, Technique T1046 - Enterprise](https://attack.mitre.org/techniques/T1046) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/reconnaissance/port_445_scanning_internal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.