Last reviewed:
T1046 is port and service scanning from a foothold: an attacker enumerating what listens before choosing an exploit. On AWS this surfaces as GuardDuty's Recon:EC2/Portscan finding and the PortProbeUnprotectedPort pair that fire when an unprotected port draws probes. DCV joins those with Inspector's network reachability analysis, which identifies the exposure before anyone scans it. Treat a portscan finding on an internal instance as a compromise signal rather than noise; external probing is background radiation, internal scanning rarely is.
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.
Platforms: Containers, IaaS, Linux, macOS, Network Devices, Windows.
DCV maps 7 detections across 3 cloud providers to T1046. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 3 | 0.90 |
| AWS Inspector | AWS | 2 | 0.75 |
| Azure Regulatory Compliance | Azure | 1 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 7 T1046 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1046, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1046 is port and service scanning from a foothold: an attacker enumerating what listens before choosing an exploit. On AWS this surfaces as GuardDuty's Recon:EC2/Portscan finding and the PortProbeUnprotectedPort pair that fire when an unprotected port draws probes. DCV joins those with Inspector's network reachability analysis, which identifies the exposure before anyone scans it. Treat a portscan finding on an internal instance as a compromise signal rather than noise; external probing is background radiation, internal scanning rarely is.
DCV maps 7 cloud-native detections to T1046 across 3 cloud providers, drawn from AWS GuardDuty, AWS Inspector, Azure Regulatory Compliance and GCP Chronicle.
T1046 is part of MITRE ATT&CK TA0007 Discovery: How adversaries learn what they have access to.
CloudSigma ships 3 validated Sigma rules for T1046 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.