T1595: Active Scanning

Data from MITRE ATT&CK®:

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

PUA - PingCastle Execution

windows process creation

PUA - PingCastle Execution From Potentially Suspicious Parent

windows process creation