Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-04 | Information Flow Enforcement | Protects | T1046 | Network Service Discovery | |
| CA-07 | Continuous Monitoring | Protects | T1046 | Network Service Discovery | |
| CM-02 | Baseline Configuration | Protects | T1046 | Network Service Discovery | |
| CM-06 | Configuration Settings | Protects | T1046 | Network Service Discovery | |
| CM-07 | Least Functionality | Protects | T1046 | Network Service Discovery | |
| CM-08 | System Component Inventory | Protects | T1046 | Network Service Discovery | |
| RA-05 | Vulnerability Monitoring and Scanning | Protects | T1046 | Network Service Discovery | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1046 | Network Service Discovery | |
| SI-03 | Malicious Code Protection | Protects | T1046 | Network Service Discovery | |
| SI-04 | System Monitoring | Protects | T1046 | Network Service Discovery | |
| SC-07 | Boundary Protection | Protects | T1046 | Network Service Discovery | |
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1046 | Network Service Discovery |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|