Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as
dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.
APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.
APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.
APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.
Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.
BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.
BlackEnergy has conducted port scans on a host.
BlackTech has used the SNScan tool to find other potential targets on victim networks.
|S1063||Brute Ratel C4||
Brute Ratel C4 can conduct port scanning against targeted systems.
During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.
Caterpillar WebShell has a module to use a port scanner on a system.
Chimera has used the
China Chopper's server component can spider authentication portals.
Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.
Cobalt Strike can perform port scans from an infected host.
During CostaRicto, the threat actors employed nmap and pscan to scan target environments.
DarkVishnya performed port scanning to obtain the list of active services.
FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.
Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.
HermeticWizard has the ability to scan ports on a compromised network.
Hildegard has used masscan to look for kubelets in the internal Kubernetes network.
Industroyer uses a custom port scanner to map out a network.
InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.
Koadic can scan for open TCP ports on the target network.
Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.
Leafminer scanned network services to search for vulnerabilities in the victim system.
Lucifer can scan for open ports including TCP ports 135 and 1433.
Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.
menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.
MURKYTOP has the capability to scan for open ports on hosts in a connected network.
Naikon has used the LadonGo scanner to scan target networks.
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.
During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.
P.A.S. Webshell can scan networks for open ports and listening services.
Peirates can initiate a port scan against a given IP address.
Pysa can perform network reconnaissance using the Advanced Port Scanner tool.
Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.
Remsec has a plugin that can perform ARP scanning as well as port scanning.
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.
Royal can scan the network interfaces of targeted systems.
SILENTTRINITY can scan for open ports on a compromised machine.
SpeakUp checks for availability of specific ports on servers.
Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.
TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.
Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.
Tropic Trooper used
XTunnel is capable of probing the network for open ports.
|M1042||Disable or Remove Feature or Program||
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
|M1031||Network Intrusion Prevention||
Use network intrusion detection/prevention systems to detect and prevent remote service scans.
Ensure proper network segmentation is followed to protect critical servers and devices.
|ID||Data Source||Data Component||Detects|
|DS0025||Cloud Service||Cloud Service Enumeration||
Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.
Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.
|DS0029||Network Traffic||Network Traffic Flow||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.