Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.01 | Network segmentation | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing proper network segmentation can protect critical servers and devices from discovery and potential exploitation.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement protects against Network Service Discovery through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.IR-01.04 | Wireless network protection | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement provides protections for wireless networks. Implementation of wireless network management measures such as network segmentation and access controls reduces the attack surface, restricts movement by adversaries, and protects data from compromise.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1046 | Network Service Discovery |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1046 | Network Service Discovery | |
| CM-06 | Configuration Settings | mitigates | T1046 | Network Service Discovery | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1046 | Network Service Discovery | |
| CM-08 | System Component Inventory | mitigates | T1046 | Network Service Discovery | |
| SC-46 | Cross Domain Policy Enforcement | mitigates | T1046 | Network Service Discovery | |
| SI-03 | Malicious Code Protection | mitigates | T1046 | Network Service Discovery | |
| CM-02 | Baseline Configuration | mitigates | T1046 | Network Service Discovery | |
| CM-07 | Least Functionality | mitigates | T1046 | Network Service Discovery | |
| SI-04 | System Monitoring | mitigates | T1046 | Network Service Discovery | |
| AC-04 | Information Flow Enforcement | mitigates | T1046 | Network Service Discovery | |
| SC-07 | Boundary Protection | mitigates | T1046 | Network Service Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Scan network | Enumerating the state of the network | related-to | T1046 | Network Service Discovery | |
| action.malware.variety.Scan network | Enumerating the state of the network | related-to | T1046 | Network Service Discovery |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_firewall | Azure Firewall | technique_scores | T1046 | Network Service Discovery |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1046 | Network Service Discovery |
Comments
This control can be used to restrict access to trusted networks.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1046 | Network Service Discovery |
Comments
This control can detect network service scanning/discovery activity.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1046 | Network Service Discovery |
Comments
This control can detect network service scanning of web applications by an adversary. Because this detection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1046 | Network Service Discovery |
Comments
This control can protect web applications from network service scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_armor | Cloud Armor | technique_scores | T1046 | Network Service Discovery |
Comments
Cloud Armor filters external network traffic and therefore can be effective for preventing external network service scanning. Network service scanning originating from inside the trusted network is not mitigated.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1046 | Network Service Discovery |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.
References
|
| vpc_service_controls | VPC Service Controls | technique_scores | T1046 | Network Service Discovery |
Comments
VPC security perimeters can limit the impact from active scanning and lateral movement techniques used to exploit the target environment.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1046 | Network Service Scanning |
Comments
The following GuardDuty finding types reflect flagged events where there is an attempt to get a list of services running on a remote host.
Recon:EC2/PortProbeEMRUnprotectedPort Recon:EC2/PortProbeUnprotectedPort Recon:EC2/Portscan Impact:EC2/PortSweep
References
|
| amazon_inspector | Amazon Inspector | technique_scores | T1046 | Network Service Scanning |
Comments
The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1046 | Network Service Scanning |
Comments
VPC security groups and network access control lists (NACLs) can filter both internal and external network traffic and therefore, can mitigate unauthorized network service scanning.
References
|
| aws_iot_device_defender | AWS IoT Device Defender | technique_scores | T1046 | Network Service Scanning |
Comments
The following AWS IoT Device Defender device-side detection metrics can detect indicators that an adversary may be leveraging compromised AWS IoT devices to search their networks for other hosts and their running services, possibly to subsequently carry out lateral movement techniques: "Destination IPs" ("aws:destination-ip-addresses") outside of expected IP address ranges may suggest that a device is communicating with unexpected devices. "Bytes in" ("aws:all-bytes-in"), "Bytes out" ("aws:all-bytes-out"), "Packets in" ("aws:all-packets-in"), and "Packets out" ("aws:all-packets-out") values outside of expected norms may indicate that the device is sending and/or receiving non-standard traffic, which may traffic used to discover other hosts/services. "Listening TCP ports" ("aws:listening-tcp-ports"), "Listening TCP port count" ("aws:num-listening-tcp-ports"), "Established TCP connections count" ("aws:num-established-tcp-connections"), "Listening UDP ports" ("aws:listening-udp-ports"), and "Listening UDP port count" ("aws:num-listening-udp-ports") values outside of expected norms may indicate that devices are communicating via unexpected ports/protocols that may suggest scanning is taking place.
Coverage factor is partial, since these metrics are limited to IoT device communication and detection is only based on network traffic, resulting in an overall score of Partial.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1046 | Network Service Scanning |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against network service scanning. This mapping is given a score of Partial because it only protects against network service scanning attacks that originate from outside the firewall and not from within network protected by the firewall.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1046 | Network Service Scanning |
Comments
AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.
AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet
This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.
References
|