Conduct active scanning

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. [1]

ID: T1254

Tactic: Technical Information Gathering

Version: 1.0


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: This technique is an expected and voluminous activity when on the Internet. Active scanning techniques/tools typically generate benign traffic that does not require further investigation by a defender since there is no actionable defense to execute. The high volume of this activity makes it burdensome for any defender to chase and therefore often ignored.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Various available tools and data sources for scouting and detecting address, routing, version numbers, patch levels, protocols/services running, etc.


  1. Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the “APT” Intelligence Gathering Process. Retrieved March 1, 2017.