T1595 · reconnaissance · 0 actors · 7 correlated reports

Active Scanning

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

Observed actors

Correlated CTI and IR reports

Eye of the Storm: Dissecting the Playbook of Cyber Toufan
OP Innovate · direct source mapping CTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mention CTI Research: LLM/AI/MCP Usage in the Cyber Kill Chain
1200km CTI repository · explicit report mention Defensive Cyber Threat Intelligence Report: Israeli Critical Infrastructure and Geopolitical Escalation (2024-2026)
Israel Threat Actors CTI · explicit report mention Executive Summary
Israel Threat Actors CTI · explicit report mention Malicious Activity as a Statistical Signal: A Detection Engineering Analysis of Anomaly-Based Detection
1200km CTI repository · explicit report mention Malicious Activity as a Statistical Signal A Detection Engineering Analysis of Anomaly Based
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research