1. Home
  2. ATT&CK Techniques
  3. T1595 Active Scanning

T1595 Active Scanning Mappings

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Scan network Scan or footprint network related-to T1595 Active Scanning
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595 Active Scanning
amazon_guardduty Amazon GuardDuty technique_scores T1595 Active Scanning
Comments
Documentation states that the Service can flag such attempts: Reconnaissance -- Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP. Note: This is from the perspective of the resource running in the AWS account. Meaning GuardDuty has several finding types that flag events that take place via a resource (e.g., EC2, IAM, S3).
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
amazon_inspector Amazon Inspector technique_scores T1595 Active Scanning
Comments
The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.
References
  1. https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1595 Active Scanning
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
  1. https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_web_application_firewall AWS Web Application Firewall technique_scores T1595 Active Scanning
Comments
AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicates bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection. AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.
References
  1. https://aws.amazon.com/waf/
  2. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
  3. https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html
  4. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html
aws_network_firewall AWS Network Firewall technique_scores T1595 Active Scanning
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. While this mapping supports al sub-techniques (2 of 2), this mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall.
References
  1. https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1595.001 Scanning IP Blocks 7
T1595.002 Vulnerability Scanning 9