T1046: Network Service Discovery
| View on MITRE ATT&CK | T1046 |
|---|---|
| Tactic(s) | Discovery |
| Associated CAPEC Patterns | Port Scanning (CAPEC-300) |
Data from MITRE ATT&CK®:
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
Following an initial advisory issued in May 2023, this advisory from CISA, NSA and partners outlines information on the broader campaign of cyber ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
From OneNote to RansomNote: An Ice Cold Intrusion
This case report from The DFIR Report describes an intrusion which started with a malicious OneNote attachment. Opening the OneNote file led to ...
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Cloud Service Enumeration (Cloud Service)
An extracted list of cloud services (ex: AWS ECS ListServices)Network Traffic Flow (Network Traffic)
Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
WinPwn - MS17-10
WinPwn - fruit
Network Service Discovery for Containers
Port Scan NMap for Windows
WinPwn - spoolvulnscan
WinPwn - bluekeep
Port Scan
Port Scan Nmap
Port Scan using python
Port-Scanning /24 Subnet with PowerShell
Sigma Detections for this Technique
MacOS Network Service Scanning
PUA - Nmap/Zenmap Execution
HackTool - winPEAS Execution
HackTool - WinPwn Execution - ScriptBlock
Advanced IP Scanner - File Event
HackTool - WinPwn Execution
PUA - Advanced Port Scanner Execution
PUA - Advanced IP Scanner Execution
Python Initiated Connection
Linux Network Service Scanning Tools Execution
Linux Network Service Scanning - Auditd
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.