Active Scanning: Vulnerability Scanning

ID Name
T1595.001 Scanning IP Blocks
T1595.002 Vulnerability Scanning

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.[1] Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).

ID: T1595.002
Sub-technique of:  T1595
Tactic: Reconnaissance
Platforms: PRE
Version: 1.0
Created: 02 October 2020
Last Modified: 15 April 2021

Procedure Examples

ID Name Description
G0007 APT28

APT28 has performed large-scale scans in an attempt to find vulnerable servers.[2]

G0016 APT29

APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.[3]

G0034 Sandworm Team

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.[4]

G0139 TeamTNT

TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.[5]

G0123 Volatile Cedar

Volatile Cedar has performed vulnerability scans of the target server.[6][7]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.


ID Data Source Data Component
DS0029 Network Traffic Network Traffic Content
Network Traffic Flow

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.