Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
action.hacking.variety.Exploit vuln | Exploit vulnerability in code (vs misconfig or weakness). This can be used with other hacking enumerations, (such as XSS when an XSS vuln exists.). Parent of many hacking varieties. | related-to | T1595.002 | Active Scanning: Vulnerability Scanning | |
action.malware.variety.Exploit vuln | Exploit vulnerability in code (vs misconfig or weakness). This can be used with other malware enumerations, (such as Remote injection when a Remote injection vuln exists.) | related-to | T1595.002 | Active Scanning: Vulnerability Scanning | |
action.malware.variety.Scan network | Scan or footprint network | related-to | T1595.002 | Active Scanning: Vulnerability Scanning | |
value_chain.targeting.variety.Organizational Information | Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target | related-to | T1595.002 | Active Scanning: Vulnerability Scanning | |
amazon_guardduty | Amazon GuardDuty | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
There are finding types that show when an EC2 instance is probing other AWS resources for information. Recon:EC2/PortProbeEMRUnprotectedPort, Recon:EC2/PortProbeUnprotectedPort, Recon:EC2/Portscan, Impact:EC2/PortSweep
References
|
amazon_inspector | Amazon Inspector | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
The Amazon Inspector Network Reachability assessment package can assess whether or not cloud/network components are vulnerable (e.g., publicly accessible from the Internet). Amazon Inspector does not directly protect cloud/network components rather reports on vulnerabilities that it identifies which can then be used to securely configure the cloud/network components. Due to this, the score is capped at Partial.
References
|
amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict inbound traffic that can protect against active scanning techniques such as Scanning IP Blocks and/or Vulnerability Scanning. Because this protection is limited to known malicious IP addresses and domains and does not provide protection from such attacks from unknown domains and IP addresses, this is scored as partial coverage resulting in an overall Partial score.
References
|
aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
AWS WAF protects against bots that run scans against web applications such as Nessus (vulnerability assessments) and Nmap (IP address and port scans) among others. AWS WAF does this by blocking malicious traffic that indicate bad bots such as those listed above (e.g., via User-Agent values). AWS WAF uses the following rule sets to provide this protection.
AWSManagedRulesCommonRuleSet AWSManagedRulesBotControlRuleSet
This is scored as Partial because the rule sets, while they block malicious traffic in near real-time, only protect web applications against scans performed by bots.
References
|
aws_network_firewall | AWS Network Firewall | technique_scores | T1595.002 | Vulnerability Scanning |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to restrict access to the endpoints within the virtual private cloud and protect against active scanning. This mapping is given a score of Partial because it only protects against active scanning attacks that originate from outside the firewall and not from within network protected by the firewall.
References
|