Network Service Discovery (T1046) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for SIEM, Firewall events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote exploitation through weaknesses in those services. Common methods to acquire this information include port and vulnerability scanning. Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Nmap, Masscan, and internal scanning tools are commonly used for network service discovery. After gaining initial access to a network, attackers typically scan internal network ranges to identify services they can exploit for lateral movement, data exfiltration, or privilege escalation. Internal scanning activity is particularly suspicious because legitimate users rarely need to scan network ranges, and automated scanning tools running on internal hosts are strong indicators of compromise or insider threat activity.
“Network Service Discovery is documented as technique T1046 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into SIEM, Firewall telemetry.”
The following detection strategies help SOC analysts identify Network Service Discovery activity. These methods apply across SIEM, Firewall environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for network scanning patterns including rapid sequential connection attempts to multiple hosts on common service ports, particularly from workstations or servers that have no administrative or security operations function.
Alert on execution of network scanning tools including nmap, masscan, and angry IP scanner, as well as PowerShell-based port scanners that may be used to evade detection by avoiding standalone executable files.
Detect ARP scanning and ICMP-based host discovery that precedes port scanning, as attackers typically perform host discovery before service enumeration to identify live hosts on network segments.
Monitor NetFlow data for internal hosts generating connection attempts to large numbers of destination IPs or ports within short time windows, which is the network-level signature of scanning activity.
Alert on connections to management interfaces on network infrastructure devices including SSH to routers and switches, SNMP queries from unauthorized sources, and telnet connections from workstations.
These realistic alert examples show what Network Service Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
NetFlow analysis detected workstation WS-MKT-033 initiating TCP SYN packets to 2,847 unique IP addresses on ports 22, 80, 443, 445, 3389, and 8080 over 12 minutes. This scanning rate and port selection pattern is characteristic of nmap service discovery. The source workstation has no network administration function and should not be generating this traffic volume.
Process creation event detected on application server APP-PROD-12: nmap executed with arguments targeting the 10.0.0.0/16 internal network range with service version detection flags. Nmap is not installed as part of the standard server build and was uploaded to the system via SSH by an account that authenticated using compromised credentials 23 minutes prior.
Firewall detected connection attempts from 192.168.45.67 to port 445 on 1,200 internal IP addresses within 8 minutes. SMB port scanning is commonly used to identify systems vulnerable to SMB exploits like EternalBlue, to find shares containing sensitive data, or to identify targets for lateral movement using Pass the Hash or Pass the Ticket attacks.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Network Service Discovery. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more