EXPLORE
Sign In
← Back to Explore
T1595

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols...

PRE
24
Detections
4
Sources
0
Threat Actors

BY SOURCE

16elastic4splunk_escu3sigma1crowdstrike_cql

PROCEDURES (14)

Network Connection Monitoring4 detections

Auto-extracted: 4 detections for network connection monitoring

Service3 detections

Auto-extracted: 3 detections for service

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Api2 detections

Auto-extracted: 2 detections for api

Unusual2 detections

Auto-extracted: 2 detections for unusual

C22 detections

Auto-extracted: 2 detections for c2

Dump2 detections

Auto-extracted: 2 detections for dump

Http1 detections

Auto-extracted: 1 detections for http

Http1 detections

Auto-extracted: 1 detections for http

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Api1 detections

Auto-extracted: 1 detections for api

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (24)

Attacker Tools On Endpoint
splunk_escu
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
splunk_escu
HTTP Rapid POST with Mixed Status Codes
splunk_escu
Inbound Connection to an Unsecure Elasticsearch Node
elasticmedium
Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected
elasticmedium
Ollama Possible API Endpoint Scan Reconnaissance
splunk_escu
Potential Hello-World Scraper Botnet Activity
sigmamedium
Potential Linux Hack Tool Launched
elasticmedium
Potential Network Scan Detected
elasticlow
Potential Network Sweep Detected
elasticlow
Potential Spike in Web Server Error Logs
elasticlow
Potential SYN-Based Port Scan Detected
elasticlow
PUA - PingCastle Execution
sigmamedium
PUA - PingCastle Execution From Potentially Suspicious Parent
sigmahigh
Spike in Firewall Denies
elasticlow
Spike in Network Traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Suspicious Network Tool Launch Detected via Defend for Containers
elasticlow
Suspicious Network Tool Launched Inside A Container
elasticlow
Systems Initiating Connections to a High Number of Ports
crowdstrike_cql
Web Server Discovery or Fuzzing Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Web Server Potential Spike in Error Response Codes
elasticlow
Web Server Suspicious User Agent Requests
elasticlow