T1595.002 Vulnerability Scanning
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.1 Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).
| Item | Value |
|---|---|
| ID | T1595.002 |
| Sub-techniques | T1595.001, T1595.002, T1595.003 |
| Tactics | TA0043 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 02 October 2020 |
| Last Modified | 15 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0007 | APT28 | APT28 has performed large-scale scans in an attempt to find vulnerable servers.6 |
| G0016 | APT29 | APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.8 |
| G0143 | Aquatic Panda | Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).10 |
| G0035 | Dragonfly | Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.2 |
| G0059 | Magic Hound | Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to Log4j (CVE-2021-44228).7 |
| G0034 | Sandworm Team | Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.9 |
| G0139 | TeamTNT | TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.5 |
| G0123 | Volatile Cedar | Volatile Cedar has performed vulnerability scans of the target server.34 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content |
References
-
OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020. ↩
-
CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. ↩
-
Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. ↩
-
ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. ↩
-
Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. ↩
-
Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. ↩
-
Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. ↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩