T1595.002 Vulnerability Scanning Mappings

Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).

View in MITRE ATT&CK®

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
azure_sentinel Azure Sentinel technique_scores T1595.002 Vulnerability Scanning
Comments
The Azure Sentinel Analytics "High count of connections by client IP on many ports" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.
References
    azure_defender_for_app_service Azure Defender for App Service technique_scores T1595.002 Vulnerability Scanning
    Comments
    This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.
    References
      azure_web_application_firewall Azure Web Application Firewall technique_scores T1595.002 Vulnerability Scanning
      Comments
      Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).
      References
        azure_web_application_firewall Azure Web Application Firewall technique_scores T1595.002 Vulnerability Scanning
        azure_firewall Azure Firewall technique_scores T1595.002 Vulnerability Scanning
        Comments
        This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
        References