title: Vulnerability Scanning (T1595.002)
id: df00tech-t1595-002
status: experimental
description: "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans check if target host and application configurations align with specific exploits the adversary seeks to use. These scans harvest running software and version numbers via server banners, listening ports, or other network artifacts. Threat groups including Sandworm Team, APT28, APT29, Magic Hound, Ember Bear, and APT41 have conducted large-scale vulnerability scanning operations against public-facing infrastructure, targeting specific CVEs such as Log4Shell, ProxyShell, and Citrix vulnerabilities. Information from these scans informs follow-on exploitation (T1190), capability development (T1587, T1588), and further reconnaissance operations."
references:
  - https://attack.mitre.org/techniques/T1595/002/
  - https://df00tech.com/detections/T1595.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1595.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Authorized vulnerability management programs (Nessus, Qualys, Rapid7 InsightVM) running scheduled scan jobs — scanner IPs should be documented in a known-good IP allowlist and matched against SourceIP"
  - Approved penetration testing or red team engagements — will generate high-volume scanner tool execution events on endpoints and IDS alerts during the engagement window
  - "Security operations or IT infrastructure teams running nmap, masscan, or asset discovery tooling for network inventory and exposure management"
  - "Cloud security scanners (AWS Inspector, Microsoft Defender for Cloud continuous assessment, Tenable.io cloud connectors) probing cloud workloads from cloud provider IP ranges"
  - Bug bounty platform scanners or contracted external assessments arriving from third-party IP ranges with change management approval documentation
level: medium