# T1046 Network Service Scanning

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system. 

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1046)

  * [Capec](https://capec.mitre.org/data/definitions/300.html)



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla	
- Empire can perform port scans from an infected host.

#### APT28	
- Kodiac (windows post-exploitation framework used by APT28) can scan for open TCP ports on the target network.
- XTunnel (VPN-like network proxy tool used by APT28) is capable of probing the network for open ports.

#### APT29	
- Cobalt Strike can perform port scans from an infected host.

## Detection Blindspots

- Based on data sources, network analysis will be better suited for technique detection.

## Analytical References

  * [Atomic Red Team T1046 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md)
  * [Empire Project (github)](https://github.com/EmpireProject/Empire)
  * [Koadic (github)](https://github.com/zerosum0x0/koadic)
  * [Cobalt Strike Manual (cobaltstrike)](https://cobaltstrike.com/downloads/csmanual38.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment.
- Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used.
- Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed.
- Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.

#### Analytic 1

  * **Information:** Common network 

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used.
      - Processes may be renamed, but that would be caught by other hunts

  * **Query:** ```process.name : (nmap.exe or nc.exe ping.exe or tcping.exe or tracert.exe or pathping.exe or osql.exe) AND process.command_line : *```

-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

