|APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.
|APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.
|APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.
|Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.
|BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.
|BlackEnergy has conducted port scans on a host.
|BlackTech has used the SNScan tool to find other potential targets on victim networks.
|Brute Ratel C4
|Brute Ratel C4 can conduct port scanning against targeted systems.
|During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.
|Caterpillar WebShell has a module to use a port scanner on a system.
|Chimera has used the
get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.
|China Chopper‘s server component can spider authentication portals.
|Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.
|Cobalt Strike can perform port scans from an infected host.
|Conficker scans for other machines to infect.
|During CostaRicto, the threat actors employed nmap and pscan to scan target environments.
|DarkVishnya performed port scanning to obtain the list of active services.
|Empire can perform port scans from an infected host.
|FIN6 used publicly available tools (including Microsoft’s built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.
|Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.
|HDoor scans to identify open ports on the victim.
|HermeticWizard has the ability to scan ports on a compromised network.
|Hildegard has used masscan to look for kubelets in the internal Kubernetes network.
|Industroyer uses a custom port scanner to map out a network.
|InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.
|Koadic can scan for open TCP ports on the target network.
|Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.
|Leafminer scanned network services to search for vulnerabilities in the victim system.
|Lucifer can scan for open ports including TCP ports 135 and 1433.
|Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.
|menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.
|MURKYTOP has the capability to scan for open ports on hosts in a connected network.
|Naikon has used the LadonGo scanner to scan target networks.
|NBTscan can be used to scan IP networks.
|OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.
|During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.
|P.A.S. Webshell can scan networks for open ports and listening services.
|Peirates can initiate a port scan against a given IP address.
|PoshC2 can perform port scans from an infected host.
|Pupy has a built-in module for port scanning.
|Pysa can perform network reconnaissance using the Advanced Port Scanner tool.
|Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.
|Remsec has a plugin that can perform ARP scanning as well as port scanning.
|Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.
|Royal can scan the network interfaces of targeted systems.
|SILENTTRINITY can scan for open ports on a compromised machine.
|SpeakUp checks for availability of specific ports on servers.
|Suckfly the victim’s internal network for hosts with ports 8080, 5900, and 40 open.
|TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.
|Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.
|Tropic Trooper used
pr and an openly available tool to scan for open ports on target systems.
|Xbash can perform port scanning of TCP and UDP ports.
|XTunnel is capable of probing the network for open ports.
|ZxShell can launch port scans.