Active Scanning: Vulnerability Scanning

ID Name
VT0006.001 Scanning IP Blocks
VT0006.002 Vulnerability Scanning

Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) are potentially vulnerable and can be potentially exploited by the adversary.

These scans include attempts to gather information of that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.[1]

Information from these scans may reveal opportunities to establish Resource Development (ex: Develop Capabilities or Obtain Capabilities), and Initial Access, such as Exploit Public-Facing Application). [2]


Mitigation Description

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.


Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.



Data Sources
Network device logs
Packet capture

Created: 09 December 2020

Last Modified: 20 December 2020