T1046 — Network Service Discovery

Technique

T1046

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

7

Community rules

20

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1046

MITRE description

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021) Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well. Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-32756
• CVE-2025-0282
• CVE-2023-38035
• CVE-2023-26360
• CVE-2021-21973
• CVE-2019-13608
• CVE-2019-11634

Detection coverage

SigmaHQ community rules

• Grixba Malware Reconnaissance Activity (emerging-threats)
• OpenCanary - NMAP FIN Scan (core)
• OpenCanary - NMAP NULL Scan (core)
• OpenCanary - NMAP OS Scan (core)
• OpenCanary - NMAP XMAS Scan (core)
• OpenCanary - Host Port Scan (SYN Scan) (core)
• Linux Network Service Scanning - Auditd (core)
• Pnscan Binary Data Transmission Activity (core)
• Linux Network Service Scanning Tools Execution (core)
• MacOS Network Service Scanning (core)
• Advanced IP Scanner - File Event (core)
• Python Initiated Connection (core)
• HackTool - WinPwn Execution - ScriptBlock (core)
• HackTool - winPEAS Execution (core)
• HackTool - WinPwn Execution (core)
• PUA - Advanced IP Scanner Execution (core)
• PUA - Advanced Port Scanner Execution (core)
• PUA - SoftPerfect Netscan Execution (core)
• PUA - NimScan Execution (core)
• PUA - Nmap/Zenmap Execution (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.