Home > SOC Analysis

Network Attack Patterns

Network attack patterns describe the behaviors, traffic flows, packet sequences, and communication styles used by attackers during scanning, exploitation, C2 communication, lateral movement, and data exfiltration.
These patterns are visible in firewall logs, IDS/IPS logs, DNS logs, proxy logs, and NetFlow — allowing SOC analysts to identify intrusions even when malware indicators or IOCs are not present.

This chapter explains network attack patterns in full-scale, ultra-practical SOC depth, including raw log examples, detection logic, analyst workflows, and SIEM queries.

What Network Attack Patterns Are

A network attack pattern is a repeatable, recognizable behavior in network traffic that signals malicious intent.

Network attack patterns reveal:

  • Scanning behavior

  • Reconnaissance

  • Exploitation attempts

  • Lateral movement

  • Malware beaconing

  • Data exfiltration

  • Protocol abuse

Attackers may hide files, hashes, and domains — but network behavior is significantly harder to disguise, making attack patterns one of the strongest SOC detection methods.

Core Network Attack Pattern Categories

Below are the major categories with realistic examples exactly how SOC analysts observe them.

1. Port Scanning Patterns

Attackers scan networks to identify open ports or exploitable services.

Horizontal Scan (same port, many hosts)

SRC=185.22.11.44 DPT=22 → 10.0.0.2
SRC=185.22.11.44 DPT=22 → 10.0.0.3
SRC=185.22.11.44 DPT=22 → 10.0.0.4

Vertical Scan (many ports, same host)

DPT=21,22,23,80,443,3306,8080 from same SRC

Full Recon Scan

Using Nmap/Masscan:

ET SCAN Nmap Scripting Engine

Attack Impact:

  • Reveals attacker reconnaissance

  • Precedes brute force or exploitation

2. Brute Force Attack Patterns

Repeated failed login attempts over the network.

SSH Brute Force (Firewall + auth log)

DROP SRC=185.* DPT=22 (repeated)

RDP Brute Force

SRC=185.* DPT=3389 SYN flood

Characteristics:

  • High-frequency attempts

  • Same user accessed repeatedly

  • Often from botnets

3. Web Exploitation Patterns

Visible in proxy and IDS logs.

SQL Injection

GET /login.php?id=1' OR '1'='1

Directory Traversal

GET /../../../../../etc/passwd

Remote Code Execution (RCE)

POST /struts2-showcase/index.action?...

Exploit Kits

/ek/landing.php?id=4421

These patterns indicate active exploitation attempts.

4. Malware C2 Communication Patterns

Malware communicates with C2 servers in distinctive ways.

Fixed Interval Beaconing

DNS query to status-checkin.net every 60 seconds

Small HTTPS POST Requests

POST /status size=200 bytes response=204

Encrypted Payload Over Non-Standard Ports

TCP 8081 outbound to unknown IP

Randomized Subdomains

dj2910qws.xjpqz.net

Patterns like these reveal malware even when signatures fail.

5. DNS Abuse Patterns

Attackers use DNS for covert operations.

DGA Domains

a9219dasj9as.biz → repeated NXDOMAIN

DNS Tunneling

TXT queries > 200 characters  
Base64-like strings

C2 via DNS

query: beacon-update-service.net

DNS-based patterns are powerful for early detection.

6. Lateral Movement Patterns

Internal network traffic reveals attacker movement.

SMB-Based Movement

10.0.0.5 → 10.0.0.10 DPT=445

WinRM or WMI

DPT=5985 or DPT=5986 repeated internal connections

SSH Pivoting (Linux)

SRC=10.0.0.25 DPT=22 internal to multiple servers

These patterns usually follow initial compromise.

7. Data Exfiltration Patterns

Attackers send stolen data out of the organization.

Large Outbound POST Requests

POST /upload SIZE_OUT=6MB

DNS Exfiltration

TXT records with long encoded strings

Unusual File Transfer Protocols

SCP outbound to unknown IP

Spikes in Outbound Traffic

Outbound traffic 20x normal baseline

Exfiltration patterns indicate breach escalation.

8. Botnet / Cryptomining Patterns

Mining Pool Traffic

STRATUM protocol outbound to pool.minexmr.com

High-Volume Persistent Connections

constant TCP connections → external pool

Sudden Spike in CPU + Network

Monitored via host + network logs.

9. Reconnaissance Through DNS Patterns

Attackers enumerate subdomains using DNS.

query: ftp.target.com
query: admin.target.com
query: db1.target.com
query: vpn.target.com

Sequential lookups = targeted recon.

Real Attack Scenario Using Network Attack Patterns

Step 1 — External Recon

ET SCAN Nmap Scripting Engine

Step 2 — Vertical Scan on Web Server

DPT=80,443,8080,8000,3306

Step 3 — Exploit Attempt Logged

ET EXPLOIT Apache Struts RCE

Step 4 — Malware Download

Proxy:

URL=http://malicious.ru/dropper.exe

Step 5 — C2 Communication Pattern

POST /status every 60 seconds

Step 6 — Lateral Movement

10.0.0.5 → 10.0.0.22 DPT=445

Step 7 — Data Exfiltration

POST 4MB to https://file.io/upload

Network patterns reveal the entire kill chain.

SIEM Queries for Network Attack Pattern Detection

Port Scanning

count(DPT) > 10 by SRC in 1 minute

Brute Force Patterns

DPT=22 AND action:DROP AND src_ip:<same_ip>

Beaconing Detection

same_domain AND query interval < 90 seconds

Lateral Movement

src_ip:10.* AND dst_ip:10.* AND DPT:(445 OR 3389 OR 5985)

Exfiltration

POST AND bytes_out > 1000000

DNS Tunneling

query_length > 150 AND query_type:TXT

C2 Domains

domain IN threat_intel AND repeated queries

Analyst Workflow for Network Attack Pattern Investigations

  1. Identify suspicious network behavior

  2. Categorize pattern (scanning, exploit, beacon, exfiltration, etc.)

  3. Map affected hosts

  4. Correlate with host logs (Sysmon, Linux)

  5. Identify initial access point

  6. Check for lateral movement

  7. Evaluate whether malware executed

  8. Check for persistence or privilege escalation

  9. Build full attack timeline

  10. Escalate incident and isolate compromised systems

Network patterns allow SOC analysts to detect attacks even when malware leaves no file-based trace.

Intel Dump

  • Network attack patterns reveal scanning, exploitation, C2 activity, lateral movement, and exfiltration.

  • Attack patterns rely on attacker behavior rather than static indicators.

  • Logs like IDS/IPS, firewall, DNS, proxy, and NetFlow provide visibility.

  • Common patterns include beaconing, brute force, DGA domains, DNS tunneling, SMB lateral movement, and large outbound POST requests.

  • SIEM queries detect frequency anomalies, suspicious ports, encoded DNS traffic, repeated beaconing, and data exfiltration.

  • Network attack patterns expose full kill chains even when malware hides from endpoint detection.

HOME COMMUNITY CAREERS DASHBOARD