Network Service Discovery, Technique T1046 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries utilized Ping, the Advanced Port Scanner and Advanced IP Scanner to enumerate network devices.[4]
Agrius used the open-source port scanner WinEggDrop to perform detailed scans of hosts of interest in victim networks.[5]
Anthropic AI-orchestrated Campaign
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to enumerate internal network services and endpoints across targeted environments using browser automation via MCP, including databases, container registries, admin interfaces, and workflow orchestration platforms.[6]
APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.[7]
APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.[8][9]
APT41 used a malware variant called WIDETONE to conduct port scans on specified subnets.[10]
Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.[11]
BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.[12]
BADHATCH can check for open ports on a computer by establishing a TCP connection.[13]
BlackByte has used tools such as NetScan to enumerate network services in victim environments.[14]
BlackByte Ransomware identifies remote systems via active directory queries for hostnames prior to launching remote ransomware payloads.[15]
BlackEnergy has conducted port scans on a host.[16]
BlackTech has used the SNScan tool to find other potential targets on victim networks.[17]
Brute Ratel C4 can conduct port scanning against targeted systems.[18]
During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.[19]
During C0027, used RustScan to scan for open ports on targeted ESXi appliances.[20]
Caterpillar WebShell has a module to use a port scanner on a system.[21]
Chimera has used the get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.[22]
China Chopper's server component can spider authentication portals.[23]
Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[24][25][26]
Cobalt Strike can perform port scans from an infected host.[27][28][29]
Conficker scans for other machines to infect.[30]
During CostaRicto, the threat actors employed nmap and pscan to scan target environments.[31]
DarkVishnya performed port scanning to obtain the list of active services.[32]
Ember Bear has used tools such as NMAP for remote system discovery and enumeration in victim environments.[33]
Empire can perform port scans from an infected host.[34]
FIN13 has utilized nmap for reconnaissance efforts. FIN13 has also scanned for internal MS-SQL servers in a compromised network.[35][36]
FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[37]
Fox Kitten has used tools including NMAP to conduct broad scanning to identify open ports.[38][39]
As part of load balancing FRP can set healthCheck.type = "tcp" or healthCheck.type = "http" to check service status on specific hosts with TCPing or an HTTP request.[40]
HDoor scans to identify open ports on the victim.[41]
HermeticWizard has the ability to scan ports on a compromised network.[42]
Hildegard has used masscan to look for kubelets in the internal Kubernetes network.[43]
During HomeLand Justice, threat actors executed the Advanced Port Scanner tool on compromised systems.[44][45]
INC Ransom has used NETSCAN.EXE for internal reconnaissance.[46][47]
Industroyer uses a custom port scanner to map out a network.[48]
InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.[49]
Koadic can scan for open TCP ports on the target network.[50]
Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.[51]
Leafminer scanned network services to search for vulnerabilities in the victim system.[52]
To collect data on the host's Wi-Fi connection history, LightSpy reads the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.[53]
Lotus Blossom has used port scanners to enumerate services on remote hosts.[54]
Lucifer can scan for open ports including TCP ports 135 and 1433.[55]
Magic Hound has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.[56]
Medusa Group has the capability to use living off the land (LOTL) binaries to perform network enumeration.[57] Medusa Group has also utilized the publicly available scanning tool SoftPerfect Network Scanner (netscan.exe) to discover device hostnames and network services.[58]
menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[59]
MgBot includes modules for performing HTTP and server service scans.[60]
MURKYTOP has the capability to scan for open ports on hosts in a connected network.[23]
Mustang Panda has leveraged NBTscan to scan IP networks.[61]
Naikon has used the LadonGo scanner to scan target networks.[62]
NBTscan can be used to scan IP networks.[63][64]
OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.[65]
During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.[66]
P.A.S. Webshell can scan networks for open ports and listening services.[67]
Peirates can initiate a port scan against a given IP address.[68]
PoshC2 can perform port scans from an infected host.[69]
Pupy has a built-in module for port scanning.[70]
Pysa can perform network reconnaissance using the Advanced Port Scanner tool.[71]
Ramsay can scan for systems that are vulnerable to the EternalBlue exploit.[72][73]
RedCurl has used netstat to check if port 4119 is open.[74]
Remsec has a plugin that can perform ARP scanning as well as port scanning.[75]
Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.[76][77]
Royal can scan the network interfaces of targeted systems.[78]
SILENTTRINITY can scan for open ports on a compromised machine.[79]
SpeakUp checks for availability of specific ports on servers.[80]
Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.[81]
TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters.[82][43][83] TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.[84]
Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[85][86]
Tropic Trooper used pr and an openly available tool to scan for open ports on target systems.[87][88]
Volt Typhoon has used commercial tools, LOTL utilities, and appliances already present on the system for network service discovery.[89]
Xbash can perform port scanning of TCP and UDP ports.[90]
XTunnel is capable of probing the network for open ports.[91]