Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
The Azure Sentinel Analytics "High count of connections by client IP on many ports" query can identify client IP addresses with 30 or more active ports used within a ten minute window, checked at a default frequency of once per hour, which may indicate scanning. Note that false positives are probable based on changes in usage patterns and/or misconfiguration, and this detection only works if scanning is not spread out over a longer timespan.
References
|
azure_defender_for_app_service | Azure Defender for App Service | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
This control monitors for web fingerprinting tools including nmap and Blind Elephant, as well as scanners looking for vulnerability in applications like Drupal, Joomla, and WordPress. Temporal factor is unknown.
References
|
azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
Focuses on web vulnerability scanning of OWASP Core Rule Set (CRS).
References
|
azure_web_application_firewall | Azure Web Application Firewall | technique_scores | T1595.002 | Vulnerability Scanning | |
azure_firewall | Azure Firewall | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
This control's threat intelligence-based filtering feature can be enabled to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|