Active Scanning: Vulnerability Scanning

ID Name
VT0006.001 Scanning IP Blocks
VT0006.002 Vulnerability Scanning

Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) are potentially vulnerable and can be potentially exploited by the adversary.

These scans include attempts to gather information of that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.[1]

Information from these scans may reveal opportunities to establish Resource Development (ex: Develop Capabilities or Obtain Capabilities), and Initial Access, such as Exploit Public-Facing Application). [2]

Mitigations

Mitigation Description
Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

Attachments

ID
VT0006.002
Sub-techniques
Tactic
Reconnaissance
Platforms
PRE
Data Sources
Network device logs
Packet capture
Version
1.0

Created: 09 December 2020

Last Modified: 20 December 2020