Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1046 | Network Service Scanning | |
| CA-7 | Continuous Monitoring | Protects | T1046 | Network Service Scanning | |
| CM-2 | Baseline Configuration | Protects | T1046 | Network Service Scanning | |
| CM-6 | Configuration Settings | Protects | T1046 | Network Service Scanning | |
| CM-7 | Least Functionality | Protects | T1046 | Network Service Scanning | |
| CM-8 | System Component Inventory | Protects | T1046 | Network Service Scanning | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1046 | Network Service Scanning | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1046 | Network Service Scanning | |
| SC-7 | Boundary Protection | Protects | T1046 | Network Service Scanning | |
| SI-3 | Malicious Code Protection | Protects | T1046 | Network Service Scanning | |
| SI-4 | System Monitoring | Protects | T1046 | Network Service Scanning |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| network_security_groups | Network Security Groups | technique_scores | T1046 | Network Service Scanning |
Comments
This control can be used to restrict access to trusted networks.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1046 | Network Service Scanning |
Comments
The Azure Sentinel Analytics "High count of connections by client IP on many ports" query can detect when a given client IP has 30 or more ports used within a 10 minute window, which may indicate malicious scanning. The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can detect scanning via Empire, but does not address other procedures.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1046 | Network Service Scanning |
Comments
This control can protect web applications from network service scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
| azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1046 | Network Service Scanning |
Comments
This control can detect network service scanning of web applications by an adversary. Because this detection is specific to web applications (although frequent targets) and not other application types enumerated in the procedure examples of this technique (e.g. Active Directory), it has been scored as Partial.
References
|
| azure_firewall | Azure Firewall | technique_scores | T1046 | Network Service Scanning |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external network service scanning but network service scanning originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1046 | Network Service Scanning |
Comments
This control can detect network service scanning/discovery activity.
References
|