Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2023-26360 | Adobe ColdFusion Deserialization of Untrusted Data Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
This vulnerability gives an adversary access through exploitation of a public-facing server.
References
|
| CVE-2019-11634 | Citrix Workspace Application and Receiver for Windows Remote Code Execution Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
CVE-2019-11634 is a remote code execution vulnerability for Citrix Workspace Application and Receiver for Windows
References
|
| CVE-2019-13608 | Citrix StoreFront Server XML External Entity (XXE) Processing Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.
References
|
| CVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | primary_impact | T1046 | Network Service Discovery |
Comments
This vulnerability is exploited through an SSRF (Server Side Request Forgery) flaw in the vSphere Client (HTML5) of VMware's vCenter Server, affecting the vCenter Server plugin. Attackers leverage this vulnerability to gain unauthorized access by sending a crafted POST request to the vCenter Server plugin, thereby bypassing URL validation. This manipulation enables the disclosure of sensitive information. By exploiting this flaw, attackers can scan the company's internal network and retrieve specifics about open ports and services.
References
|
| CVE-2023-38035 | Ivanti Sentry Authentication Bypass Vulnerability | secondary_impact | T1046 | Network Service Discovery |
Comments
This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system.
This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.
References
|