T1595 Active Scanning Mappings

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.malware.variety.Scan network Scan or footprint network related-to T1595 Active Scanning
value_chain.targeting.variety.Organizational Information Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target related-to T1595 Active Scanning
amazon_guardduty Amazon GuardDuty technique_scores T1595 Active Scanning
amazon_inspector Amazon Inspector technique_scores T1595 Active Scanning
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1595 Active Scanning
aws_web_application_firewall AWS Web Application Firewall technique_scores T1595 Active Scanning
aws_network_firewall AWS Network Firewall technique_scores T1595 Active Scanning

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1595.001 Scanning IP Blocks 7
T1595.002 Vulnerability Scanning 9