title: Network Service Discovery (T1046)
id: df00tech-t1046
status: experimental
description: "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods include port, vulnerability, and wordlist scans using tools such as nmap, masscan, zmap, CrackMapExec, and custom port scanners. Within cloud environments, adversaries may discover services on other cloud hosts or connected on-premises systems. On macOS, adversaries may leverage Bonjour/mDNSResponder to discover advertised services. Threat actors including Volt Typhoon, APT39, BlackTech, menuPass, FIN13, and ransomware operators like BlackByte routinely perform network service discovery as part of internal reconnaissance before lateral movement."
references:
  - https://attack.mitre.org/techniques/T1046/
  - https://df00tech.com/detections/T1046
author: df00tech
date: 2026/04/17
tags:
  - attack.t1046
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network engineers and IT administrators running nmap or AngryIP Scanner for authorized network inventory and asset discovery
  - "Vulnerability management platforms (Nessus, Qualys, Rapid7 InsightVM agents) performing scheduled authenticated scans"
  - Security operations teams running port scans during authorized penetration tests or purple team exercises
  - Monitoring tools using Test-NetConnection or netstat scripts to verify service availability and health checks
  - "DevOps pipelines performing connectivity checks (Test-NetConnection, TCP client probes) during deployment validation"
level: medium