Conduct active scanning

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. [1]

ID: T1254
Sub-techniques:  No sub-techniques
Tactic: Technical Information Gathering
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.


  1. Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the “APT” Intelligence Gathering Process. Retrieved March 1, 2017.