T1595.002 · reconnaissance · 12 actors · 7 correlated reports

Vulnerability Scanning

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Observed actors

APT41
G0096 Dragonfly
G0035 TeamTNT
G0139 Sandworm Team
G0034 Aquatic Panda
G0143 Winter Vivern
G1035 APT29
G0016 Ember Bear
G1003 Volatile Cedar
G0123 APT28
G0007 Earth Lusca
G1006 Magic Hound
G0059

Correlated CTI and IR reports

APT41 Targeting Pharmaceutical Sector: Log4Shell to Domain Compromise
1200km CTI repository · explicit report mention Attack Playbook — Operation DragonRx
1200km CTI repository · explicit report mention Operation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mention Operation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mention APT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mention Attack Playbook Operation DragonRx
1200km Medium · authored report mention Operation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research