T1595.001: Scanning IP Blocks
Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.
Adversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).
Positive Technologies products that cover the technique
Detection
PT NAD can detect activities related to the popular Nmap tool using rules, filters, and modules of the activity stream.
Examples of PT NAD detection rules
- [ANOMALY] TCP SYN Scan (sid 13000014)
- SCAN [PTsecurity] Nmap HTTP Probe (sid 10001987)
- TOOLS [PTsecurity] Nmap SMB Script running (sid 10003984)
Examples of PT NAD filters
- os.client ~ "map"
PT NAD detection modules
- Network scanner activity
- [Abnormal] Slow scanning
Detection
| ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
|---|
Mitigation
| ID | M1056 | Name | Pre-compromise | Description | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
|---|