T1046: Network Service Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .
) to find other systems broadcasting the ssh service.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack mitre_attck_discovery: PT-CR-326: Network_Service_Discovery_From_Localnet: An attempt to scan specific ports (22, 21, 23, 135, 445, 1433, 1434, 3306, 3389, 5800, 5900, 5958, 5986) of several hosts is detected mitre_attck_discovery: PT-CR-590: Port_Scan_From_Localnet_To_Different_Hosts: An attempt to scan many ports of several hosts is detected mitre_attck_discovery: PT-CR-327: Port_Scan_From_Localnet_To_Single_Host: An attempt to retrieve a list of open ports of a host is detected network_devices_compromise: PT-CR-569: CheckPoint_SmartConsole_Attempt_To_Connect: An attempt to connect with the CheckPoint SmartConsole utility from an untrusted host is detected network_devices_compromise: PT-CR-573: MikroTik_Winbox_Untrusted_Connection: An attempt to connect to MikroTik from an untrusted host with the WinBox utility is detected mitre_attck_command_and_control: PT-CR-428: Possible_Network_Local_Tunnel: Attempt to connect to a remote host using a tunnel. This may indicate that the tunnel is being used for network reconnaissance, accessing local resources, or lateral movement. active_directory_attacks: PT-CR-828: ADCS_Recon: An LDAP query to search for certificate servers in the network was executed. Attackers can exploit AD CS to steal credentials and gain persistence in the system. hacking_tools: PT-CR-2244: SOAPHound_Usage: SOAPHound was used, which is a tool that collects Active Directory data via the Active Directory Web Services (ADWS) protocol hacking_tools: PT-CR-2118: AdPEAS_Usage: The adPEAS script for domain reconnaissance was started postgresql_database: PT-CR-1834: PostgreSQL_Port_Scan: An attacker can scan the internal hosts of the infrastructure using regular database functions
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. After compromising an initial machine, adversaries commonly attempt to laterally move across the network. The first step to attempt the Lateral Movement often involves conducting host identification, port and service scans on the internal network via the compromised machine using tools such as Nmap, Cobalt Strike, etc. Note: It should be noted that when a host/ port/ service scan is performed from a compromised machine, a single machine makes multiple calls to other hosts in the network to identify live hosts and services. This can be detected using the following query Analytic 1 - Identifying Port Scanning Activity
|
---|
ID | DS0025 | Data source and component | Cloud Service: Cloud Service Enumeration | Description | Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment. |
---|
Mitigation
ID | M1031 | Name | Network Intrusion Prevention | Description | Use network intrusion detection/prevention systems to detect and prevent remote service scans. |
---|
ID | M1030 | Name | Network Segmentation | Description | Ensure proper network segmentation is followed to protect critical servers and devices. |
---|
ID | M1042 | Name | Disable or Remove Feature or Program | Description | Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation. |
---|