EXPLORE
← Back to Explore
T1595

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols...

PRE
28
Detections
4
Sources
0
Threat Actors

BY SOURCE

18elastic5splunk_escu3sigma2crowdstrike_cql

PROCEDURES (15)

Network Connection Monitoring5 detections

Auto-extracted: 5 detections for network connection monitoring

Service3 detections

Auto-extracted: 3 detections for service

C22 detections

Auto-extracted: 2 detections for c2

Dump2 detections

Auto-extracted: 2 detections for dump

Inject2 detections

Auto-extracted: 2 detections for inject

Unusual2 detections

Auto-extracted: 2 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Http1 detections

Auto-extracted: 1 detections for http

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (28)

Attacker Tools On Endpoint
splunk_escu
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
splunk_escu
HTTP Rapid POST with Mixed Status Codes
splunk_escu
ICMP Timestamp or Information Request from the Internet
elasticlow
Inbound Connection to an Unsecure Elasticsearch Node
elasticmedium
Kubernetes Potential Endpoint Permission Enumeration Attempt by Anonymous User Detected
elasticmedium
Ollama Possible API Endpoint Scan Reconnaissance
splunk_escu
Potential Hello-World Scraper Botnet Activity
sigmamedium
Potential Linux Hack Tool Launched
elasticmedium
Potential Network Scan Detected
elasticlow
Potential Network Sweep Detected
elasticlow
Potential Spike in Web Server Error Logs
elasticlow
Potential SYN-Based Port Scan Detected
elasticlow
PUA - PingCastle Execution
sigmamedium
PUA - PingCastle Execution From Potentially Suspicious Parent
sigmahigh
Spike in Firewall Denies
elasticlow
Spike in Network Traffic
elasticlow
Spike in Network Traffic To a Country
elasticlow
Suspicious Network Tool Launch Detected via Defend for Containers
elasticlow
Suspicious Network Tool Launched Inside A Container
elasticlow
Systems Initiating Connections to a High Number of Ports
crowdstrike_cql
Systems Initiating Connections to a High Number of Ports
crowdstrike_cql
Web Server Discovery or Fuzzing Activity
elasticlow
Web Server Potential Command Injection Request
elasticlow
Web Server Potential Spike in Error Response Codes
elasticlow
Web Server Potential SQL Injection Request
elastichigh
Web Server Suspicious User Agent Requests
elasticlow
Windows Netspy Network Scanner Execution
splunk_escu