Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as dns-sd -B _ssh._tcp .) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
Nmap Tutorial
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
Network Intrusion PreventionM1031
Use network intrusion detection/prevention systems to detect and prevent remote service scans.
Network SegmentationM1030
Ensure proper network segmentation is followed to protect critical servers and devices.
Threat Groups (31)
| ID | Group | Context |
|---|---|---|
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used commercial tools, LOTL utilities, and appliances already present on the system for netw... |
| G0087 | APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used [CrackMapExec](https://attack.mitre.org/software/S0488) and a custom port scanner known as BLU... |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has used the SNScan tool to find other potential targets on victim networks.(Citation: Symantec Pal... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) has used tools such as NetScan to enumerate network services in victim environments.(Citation: Micr... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used tcping.exe, similar to [Ping](https://attack.mitre.org/software/S0097), to probe port statu... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors use the Hunter tool to conduct network service discovery for vulnerable systems.(Cit... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged [NBTscan](https://attack.mitre.org/software/S0590) to scan IP networks.(Citation:... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used the open-source port scanner <code>WinEggDrop</code> to perform detailed scans of hosts of intere... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has utilized `nmap` for reconnaissance efforts. [FIN13](https://attack.mitre.org/groups/G1016) has also... |
| G0105 | DarkVishnya | [DarkVishnya](https://attack.mitre.org/groups/G0105) performed port scanning to obtain the list of active services.(Citation: Securelist DarkVishnya D... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDI... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used nmap from a router VM to scan ports on systems within the restricted segment of an ent... |
| G0077 | Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) scanned network services to search for vulnerabilities in the victim system.(Citation: Symantec Lea... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) used <code>pr</code> and an openly available tool to scan for open ports on target systems.(Ci... |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used the LadonGo scanner to scan target networks.(Citation: Bitdefender Naikon April 2021) |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.(Citation: DFIR Phosphorus November... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.(Citation: Talos Rocke Au... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) performed network scanning on the network to search for open ports, services, OS finger-printing, and o... |
| G1032 | INC Ransom | [INC Ransom](https://attack.mitre.org/groups/G1032) has used NETSCAN.EXE for internal reconnaissance.(Citation: SOCRadar INC Ransom January 2024)(Cita... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used the <code>get -b <start ip> -e <end ip> -p</code> command for network scanning as well as a ... |
Associated Software (35)
| ID | Name | Type | Context |
|---|---|---|---|
| S0192 | Pupy | Tool | [Pupy](https://attack.mitre.org/software/S0192) has a built-in module for port scanning.(Citation: GitHub Pupy) |
| S0093 | Backdoor.Oldrea | Malware | [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) can use a network scanning module to identify ICS-related ports.(Citation: Gigamon Berserk ... |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) uses a custom port scanner to map out a network.(Citation: ESET Industroyer) |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can perform port scans from an infected host.(Citation: Github PowerShell Empire) |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) can scan for systems that are vulnerable to the EternalBlue exploit.(Citation: Eset Ramsay May 2020)... |
| S1073 | Royal | Malware | [Royal](https://attack.mitre.org/software/S1073) can scan the network interfaces of targeted systems.(Citation: Cybereason Royal December 2022) |
| S0374 | SpeakUp | Malware | [SpeakUp](https://attack.mitre.org/software/S0374) checks for availability of specific ports on servers.(Citation: CheckPoint SpeakUp Feb 2019) |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has conducted port scans on a host.(Citation: Securelist BlackEnergy Nov 2014) |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has used masscan to look for kubelets in the internal Kubernetes network.(Citation: Unit 42 Hilde... |
| S0590 | NBTscan | Tool | [NBTscan](https://attack.mitre.org/software/S0590) can be used to scan IP networks.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June... |
| S0683 | Peirates | Tool | [Peirates](https://attack.mitre.org/software/S0683) can initiate a port scan against a given IP address.(Citation: Peirates GitHub) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can check for open ports on a computer by establishing a TCP connection.(Citation: BitDefender BAD... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) can launch port scans.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can scan for open TCP ports on the target network.(Citation: Github Koadic) |
| S0020 | China Chopper | Malware | [China Chopper](https://attack.mitre.org/software/S0020)'s server component can spider authentication portals.(Citation: FireEye Periscope March 2018) |
| S1144 | FRP | Tool | As part of load balancing [FRP](https://attack.mitre.org/software/S1144) can set `healthCheck.type = "tcp"` or `healthCheck.type = "http"` to check se... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can scan for open ports on a compromised machine.(Citation: GitHub SILENTTRINITY Modules July... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) identifies remote systems via active directory queries for hostnames prior to launchin... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) can perform port scanning of TCP and UDP ports.(Citation: Unit42 Xbash Sept 2018) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can perform port scans from an infected host.(Citation: cobaltstrike manual)(Citation: Talos ... |
References
- Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.
Frequently Asked Questions
What is T1046 (Network Service Discovery)?
T1046 is a MITRE ATT&CK technique named 'Network Service Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common me...
How can T1046 be detected?
Detection of T1046 (Network Service Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1046?
There are 3 documented mitigations for T1046. Key mitigations include: Disable or Remove Feature or Program, Network Intrusion Prevention, Network Segmentation.
Which threat groups use T1046?
Known threat groups using T1046 include: Volt Typhoon, APT39, BlackTech, BlackByte, menuPass, Threat Group-3390, Mustang Panda, Agrius.