Skip to content

T1595 Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.12 Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

Item Value
ID T1595
Sub-techniques T1595.001, T1595.002, T1595.003
Tactics TA0043
Platforms PRE
Version 1.0
Created 02 October 2020
Last Modified 24 October 2025

Procedure Examples

ID Name Description
C0030 Triton Safety Instrumented System Attack In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.3

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

References

  1. Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from a Botnet. Retrieved October 20, 2020. 

  2. OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020. 

  3. FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.