Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.[1]
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .
) to find other systems broadcasting the ssh service.[2][3]
ID | Name | Description |
---|---|---|
G0050 | APT32 |
APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.[4] |
G0087 | APT39 |
APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.[5][6] |
G0096 | APT41 |
APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[7] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.[8] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.[9] |
S0089 | BlackEnergy |
BlackEnergy has conducted port scans on a host.[10] |
G0098 | BlackTech |
BlackTech has used the SNScan tool to find other potential targets on victim networks.[11] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell has a module to use a port scanner on a system.[12] |
G0114 | Chimera |
Chimera has used the |
S0020 | China Chopper |
China Chopper's server component can spider authentication portals.[14] |
G0080 | Cobalt Group |
Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[15][16][17] |
S0154 | Cobalt Strike |
Cobalt Strike can perform port scans from an infected host.[18][19][20] |
S0608 | Conficker | |
G0132 | CostaRicto |
CostaRicto employed nmap and pscan to scan target environments.[22] |
G0105 | DarkVishnya |
DarkVishnya performed port scanning to obtain the list of active services.[23] |
S0363 | Empire | |
G0037 | FIN6 |
FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[25] |
G0117 | Fox Kitten |
Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.[26][27] |
S0061 | HDoor | |
S0698 | HermeticWizard |
HermeticWizard has the ability to scan ports on a compromised network.[29] |
S0601 | Hildegard |
Hildegard has used masscan to look for kubelets in the internal Kubernetes network.[30] |
S0604 | Industroyer |
Industroyer uses a custom port scanner to map out a network.[31] |
S0260 | InvisiMole |
InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.[32] |
S0250 | Koadic |
Koadic can scan for open TCP ports on the target network.[33] |
G0032 | Lazarus Group |
Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.[34] |
G0077 | Leafminer |
Leafminer scanned network services to search for vulnerabilities in the victim system.[35] |
S0532 | Lucifer |
Lucifer can scan for open ports including TCP ports 135 and 1433.[36] |
G0045 | menuPass |
menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[37] |
S0233 | MURKYTOP |
MURKYTOP has the capability to scan for open ports on hosts in a connected network.[14] |
G0019 | Naikon |
Naikon has used the LadonGo scanner to scan target networks.[38] |
S0590 | NBTscan | |
G0049 | OilRig |
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[41] |
G0116 | Operation Wocao |
Operation Wocao has scanned for open ports and used nbtscan to find NETBIOS nameservers.[42] |
S0598 | P.A.S. Webshell |
P.A.S. Webshell can scan networks for open ports and listening services.[43] |
S0683 | Peirates |
Peirates can initiate a port scan against a given IP address.[44] |
S0378 | PoshC2 | |
S0192 | Pupy | |
S0583 | Pysa |
Pysa can perform network reconnaissance using the Advanced Port Scanner tool.[47] |
S0458 | Ramsay |
Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.[48][49] |
S0125 | Remsec |
Remsec has a plugin that can perform ARP scanning as well as port scanning.[50] |
G0106 | Rocke |
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[51][52] |
S0692 | SILENTTRINITY |
SILENTTRINITY can scan for open ports on a compromised machine.[53] |
S0374 | SpeakUp |
SpeakUp checks for availability of specific ports on servers.[54] |
G0039 | Suckfly |
Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.[55] |
G0139 | TeamTNT |
TeamTNT has used masscan to search for open Docker API ports.[56][30] TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.[57] |
G0027 | Threat Group-3390 |
Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[58][59] |
G0081 | Tropic Trooper |
Tropic Trooper used |
S0341 | Xbash | |
S0117 | XTunnel |
XTunnel is capable of probing the network for open ports.[63] |
S0412 | ZxShell |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
M1031 | Network Intrusion Prevention |
Use network intrusion detection/prevention systems to detect and prevent remote service scans. |
M1030 | Network Segmentation |
Ensure proper network segmentation is followed to protect critical servers and devices. |
ID | Data Source | Data Component |
---|---|---|
DS0025 | Cloud Service | Cloud Service Enumeration |
DS0017 | Command | Command Execution |
DS0029 | Network Traffic | Network Traffic Flow |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.