T1595.002: T1595.002

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 02/10/2020 18:55 · Modified 21/05/2026 02:35

Essential information

MITRE technique ID: T1595.002
Confidence: 100/100
Revoked: No
Published: 02/10/2020 18:55
Modified: 21/05/2026 02:35
Author / Source: The MITRE Corporation

Aliases

Vulnerability Scanning

Platforms

PRE

Description

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

Kill chain phases

Kill chain	Phase
mitre-attack	reconnaissance

Marking (TLP)

External references

OWASP Vuln Scanning
mitre-attack (T1595.002)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT32 uses SeaLotusAPT-C-00

The MITRE Corporation Confidence 100

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Dragonfly uses TEMP.IsotopeDYMALLOY

The MITRE Corporation Confidence 100

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Sandworm Team uses ELECTRUMTelebots

The MITRE Corporation Confidence 100

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
ResumeLooters uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Saint Bear uses UNC2589Bleeding Bear

The MITRE Corporation Confidence 100

[Saint Bear](https://attack.mitre.org/groups/G1031) is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5174 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volatile Cedar uses Lebanese Cedar

The MITRE Corporation Confidence 100

[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 26

Slippery Snakelet uses

Family
ShellBot uses

Family
Kinsing - S0599 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Tsunami uses

Family
VELETRIX uses

Family
Flog uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RondoDox uses

Family
Fodcha uses
Laret uses

Family
AryStinger uses

Family
FeedLoad uses
RDAT - S0495 uses

Family

← Previous

Page / 3

1–12 of 34

Inside the FortiBleed Open Directory: A Technical Analysis … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables
Invisible Sting: Over 4000 Outdated Routers Compromised by … related

AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 related

AlienVault Confidence 100 1 CVE 10 MITREs 9 IOCs 9 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
9 Year-Old PHP Vulnerability Keeps Swinging As One … related

AlienVault Confidence 100 4 CVEs 19 MITREs 5 Malwares 5 IOCs 5 Observables
Suspected Cyber Espionage Campaign Targeting Global Organizations related

1 CVE 6 MITREs 2 Malwares 25 Observables 1 APT
Discovers Multiyear Sophisticated Chinese DNS Operation related

14 MITREs 10 Observables 1 APT

Vulnerabilities (CVE) (35)

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2024-51378 KEV targets

10.0 Critical

getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands …

Attack vector: Network
Published: 04/12/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2017-9248 KEV targets

9.8 Critical

Progress Telerik UI for ASP.NET AJAX and Sitefinity have a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to disclose encryption keys …

Attack vector: NETWORK
Complexity: LOW
Published: 03/07/2017
Modified: 22/04/2026

CWE-522

CVE-2024-21338 KEV targets

7.8 High

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …

Attack vector: Local
Published: 04/03/2024
Modified: 21/12/2025

CVE-2017-11357

targets

CVE-2016-5681 targets

9.8 Critical

Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 2.07 before 2.07WWB05, DIR-817 Ax, DIR-818LW Bx before 2.05b03beta03, DIR-822 C1 3.01 before …

Attack vector: Network
Complexity: Low
Published: 25/08/2016
Modified: 17/06/2026

CWE-119

CVE-2015-2051 KEV targets

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CWE-77

CVE-2017-9841 KEV targets

9.8 Critical

PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …

Attack vector: NETWORK
Complexity: LOW
Published: 27/06/2017
Modified: 22/04/2026

CWE-94

CVE-2022-28958

targets

CVE-2022-26258

targets

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

← Previous

Page / 3

25–35 of 35

T1595 subtechnique-of

Active Scanning MITRE

Course Of Action (1)

Pre-compromise mitigates

Campaign (3)

SharePoint ToolShell Exploitation uses
Anthropic AI-orchestrated Campaign uses
Cutting Edge uses

Contact About Legal notice Privacy policy Terms of use