Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1595 | Active Scanning |
Comments
The Azure Sentinel Analytics "Malformed user agent" query can detect hard-coded user-agent strings associated with some vulnerability scanning tools.
This control provides partial coverage for only one of this technique's sub-techniques, resulting in an overall score of Minimal.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1595 | Active Scanning |
Comments
This control only provides detection for one of its two sub-techniques, resulting in an overall Minimal score.
References
|
azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1595 | Active Scanning |
Comments
This control can protect web applications from active scanning by an adversary. Because this protection is specific to web applications (although frequent targets) and not other application types, it has been scored as Partial.
References
|
azure_firewall | Azure Firewall | technique_scores | T1595 | Active Scanning |
Comments
This control provides Partial protection for its sub-techniques resulting in an overall Partial score.
References
|
Technique ID | Technique Name | Number of Mappings |
---|---|---|
T1595.001 | Scanning IP Blocks | 1 |
T1595.002 | Vulnerability Scanning | 5 |