Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0842: Analytic 0842

A remote source rapidly touches a short sequence of closed ports (SYN→RST/S0) on a Windows host. Within a short window the host changes firewall state (WFP rule added/modified or service starts listening) and then the same source completes the first successful handshake to the newly opened port.

EnterpriseAN0842AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting a suspicious sequence on Windows: an external source probes closed ports, the host soon changes its firewall or listening-service state, and that same source is then first to connect successfully to the newly opened port. For leaders, the value is not just “port scanning”; it is evidence that a change in exposure may have occurred immediately before remote access became possible.

Executive priority

Prioritize this as an exposure-change and incident-triage use case. It helps answer whether a Windows system unexpectedly became reachable from a remote source, whether firewall/service changes were authorized, and whether SOC and IR teams can reconstruct the first successful connection after a port opens. This supports resilience, change-control evidence, and rapid decision-making during suspected compromise or misconfiguration events.

Technical view

Validate whether Windows hosts generate and retain enough evidence to correlate three events in a short window: failed connection attempts to closed ports, Windows firewall/WFP rule addition or modification or a service beginning to listen, and the first completed handshake from the same remote source to the newly opened port. Because no ATT&CK tactic, relationship context, or official detection logic is supplied, teams should treat this as a correlation pattern to test against local network, host firewall, and service telemetry rather than as a complete detection rule.

Likely telemetry

  • Network connection metadata showing SYN/RST or failed connection attempts to closed ports
  • Successful connection or flow records showing the first completed handshake to the newly opened port
  • Windows Firewall or Windows Filtering Platform rule add/modify events
  • Host service state changes indicating a process or service started listening on a port
  • Endpoint logs that identify local port, remote source, timestamp, and process or service where available

Detection direction

  • Correlate by remote source, destination host, destination port sequence, and short time window: closed-port touches followed by firewall/listener change followed by successful connection.
  • Tune for authorized maintenance, software deployment, vulnerability scanning, and expected service startups to reduce false positives.
  • Check blind spots where network sensors cannot see resets or handshakes, host firewall logging is disabled, WFP events are not collected, or endpoint telemetry lacks listening-port/process context.
  • Prioritize alerts where the firewall or listener change is not tied to an approved change, known administrator activity, or expected service behavior.
  • Validate time synchronization across network and Windows telemetry; this analytic depends heavily on event ordering.

Mitigation priorities

  • Ensure Windows firewall and service exposure changes are governed by change control and least-privilege administration.
  • Enable and retain telemetry for Windows firewall/WFP changes, service/listener creation, and network connection outcomes where operationally feasible.
  • Restrict inbound access to required sources and ports, reducing the chance that an unexpected listener becomes broadly reachable.
  • Review administrative permissions that can modify firewall rules or start listening services on Windows hosts.
  • Use incident response playbooks that quickly determine who changed the firewall or service state, what process opened the port, and whether the first remote connection was authorized.
Analyst notes and limits

The supplied object is a detection analytic for Windows with a clear behavioral sequence but no official detection text and no relationship context. The strongest use is as a validation checklist for SOC engineering and IR readiness: can the organization prove when a closed port became open and who connected first?

This take is limited to the supplied ATT&CK fields. No tactic mapping, related technique, actor, software, campaign, or mitigation relationships were provided. Local baselines, approved-change records, and actual telemetry availability are required before judging severity or coverage.

Official MITRE ATT&CK definition

Analytic 0842

A remote source rapidly touches a short sequence of closed ports (SYN→RST/S0) on a Windows host. Within a short window the host changes firewall state (WFP rule added/modified or service starts listening) and then the same source completes the first successful handshake to the newly opened port.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
7e132e62060b1480...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 7e132e62060b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0842
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use