T1046 - Network Service Discovery
Tactics:
Discovery
Discovery
Platforms:
Containers IaaS Linux macOS +2
Containers IaaS Linux macOS +2
Detection:
Not specified
Not specified
Description:
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.
Within macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host’s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)
Used by Actors (20)
Naikon
Nation-state
Nation-state
Lazarus Group
Nation-state
Nation-state
FIN6
Unknown
Unknown
OilRig
Nation-state
Nation-state
APT32
Nation-state
Nation-state
MUSTANG PANDA
Nation-state
Nation-state
DarkVishnya
Unknown
Unknown
APT39
Unknown
Unknown
BlackTech
Unknown
Unknown
Rocke
Unknown
Unknown
APT41
Nation-state
Nation-state
Fox Kitten
Unknown
Unknown
TeamTNT
Unknown
Unknown
BackdoorDiplomacy
Unknown
Unknown
FIN13
Unknown
Unknown
Volt Typhoon
Unknown
Unknown
Medusa Group
Unknown
Unknown
Suckfly
Unknown
Unknown
Ember Bear
Unknown
Unknown
Leafminer
Unknown
Unknown
Malware (20)
HDoor other
MURKYTOP other
Backdoor.Oldrea other
BADHATCH other
Hildegard other
InvisiMole other
P.A.S. Webshell other
Lucifer other
BlackEnergy other
Conficker other
China Chopper other
LightSpy other
Remsec other
Xbash other
XTunnel other
Caterpillar WebShell other
Royal other
BlackByte Ransomware other
Pysa other
MgBot other
Metadata
| MITRE ID: | T1046 |
| STIX ID: | attack-pattern--e3a12395-188d-... |
| Platforms: | Containers, IaaS, Linux, macOS, Network Devices, Windows |
| Created: | 13/01/2026 17:48 |
| Updated: | 06/03/2026 16:00 |