EXPLORE
Sign In
← Back to Explore
T1046

Network Service Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the...

ContainersIaaSLinuxmacOSNetwork DevicesWindows
49
Detections
4
Sources
31
Threat Actors

BY SOURCE

19elastic19sigma10splunk_escu1crowdstrike_cql

PROCEDURES (23)

Network Connection Monitoring9 detections

Auto-extracted: 9 detections for network connection monitoring

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

General Monitoring5 detections

Auto-extracted: 5 detections for general monitoring

Service4 detections

Auto-extracted: 4 detections for service

Remote4 detections

Auto-extracted: 4 detections for remote

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Dump2 detections

Auto-extracted: 2 detections for dump

Lateral2 detections

Auto-extracted: 2 detections for lateral

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (31)

AgriusAPT32APT39APT41BackdoorDiplomacyBlackByteBlackTechChimeraCobalt GroupDarkVishnyaEmber BearFIN13FIN6Fox KittenINC RansomLazarus GroupLeafminerLotus BlossomMagic HoundMedusa GroupmenuPassMustang PandaNaikonOilRigRedCurlRockeSuckflyTeamTNTThreat Group-3390Tropic TrooperVolt Typhoon

DETECTIONS (49)

Advanced IP or Port Scanner Execution
splunk_escu
Advanced IP Scanner - File Event
sigmamedium
Cisco Secure Firewall - Blocked Connection
splunk_escu
Cisco Secure Firewall - Repeated Blocked Connections
splunk_escu
DNS Enumeration Detected via Defend for Containers
elasticlow
HackTool - winPEAS Execution
sigmahigh
HackTool - WinPwn Execution
sigmahigh
HackTool - WinPwn Execution - ScriptBlock
sigmahigh
Hping Process Activity
elasticmedium
Internal Horizontal Port Scan
splunk_escu
Internal Horizontal Port Scan NMAP Top 20
splunk_escu
Internal Vertical Port Scan
splunk_escu
Internal Vulnerability Scan
splunk_escu
Kubernetes Access Scanning
splunk_escu
Kubernetes Scanning by Unauthenticated IP Address
splunk_escu
Linux Network Service Scanning - Auditd
sigmalow
Linux Network Service Scanning Tools Execution
sigmalow
MacOS Network Service Scanning
sigmalow
Nping Process Activity
elasticmedium
OpenCanary - Host Port Scan (SYN Scan)
sigmahigh
OpenCanary - NMAP FIN Scan
sigmahigh
OpenCanary - NMAP NULL Scan
sigmahigh
OpenCanary - NMAP OS Scan
sigmahigh
OpenCanary - NMAP XMAS Scan
sigmahigh
Pnscan Binary Data Transmission Activity
sigmamedium
Potential Linux Hack Tool Launched
elasticmedium
Potential Network Scan Detected
elasticlow
Potential Network Scan Executed From Host
elasticmedium
Potential Network Sweep Detected
elasticlow
Potential Port Scanning Activity from Compromised Host
elasticlow
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Subnet Scanning Activity from Compromised Host
elasticmedium
Potential SYN-Based Port Scan Detected
elasticlow
Potentially Suspicious Process Started via tmux or screen
elasticmedium
PUA - Advanced IP Scanner Execution
sigmamedium
PUA - Advanced Port Scanner Execution
sigmamedium
PUA - NimScan Execution
sigmamedium
PUA - Nmap/Zenmap Execution
sigmamedium
PUA - SoftPerfect Netscan Execution
sigmamedium
Python Initiated Connection
sigmamedium
Spike in Firewall Denies
elasticlow
Spike in host-based traffic
elasticlow
Spike in Network Traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Suricata and Elastic Defend Network Correlation
elasticmedium
Suspicious Network Tool Launch Detected via Defend for Containers
elasticlow
Suspicious Network Tool Launched Inside A Container
elasticlow
Systems Initiating Connections to a High Number of Ports
crowdstrike_cql
Windows PsTools Recon Usage
splunk_escu