T1423 Network Service Scanning
Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device’s access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).
| Item | Value |
|---|---|
| ID | T1423 |
| Sub-techniques | |
| Tactics | TA0032 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1185 | LightSpy | LightSpy uses the landevices module to enumerate devices on the same WiFi network through active scanning.312 |
References
-
Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy’s iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025. ↩
-
Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025. ↩
-
ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025. ↩