主动扫描

Sub-techniques (3)

ID	Name
T1595.001	协议模拟隐蔽扫描
T1595.002	时间随机化分散扫描
T1595.003	云服务代理扫描

主动扫描作为网络攻击链的初始阶段，通过直接探测目标系统获取关键情报。传统检测手段依赖识别异常协议交互、高频次连接请求等特征，采用流量阈值告警与规则匹配进行防御。但随着攻击者匿迹技术的演进，单纯基于流量特征的检测方法面临严峻挑战。

现代隐蔽扫描技术通过多维度特征重构突破传统检测范式。协议模拟隐蔽扫描实现协议栈级特征合法化，使恶意流量穿透深度包检测系统；时间随机化策略打破时序规律特征，规避基于行为分析的检测模型；云服务代理扫描则利用基础设施即服务的天然合法性，构建难以溯源的分布式探测网络。三类技术的共性在于将扫描行为解构为符合业务上下文特征的微操作，通过协议合规化改造、资源合法化利用及时空特征模糊化，实现攻击流量与正常业务的深度混淆。

匿迹技术的发展迫使防御体系向多维度关联分析升级，需融合协议行为建模、云端流量画像构建、长周期时序分析等技术，建立动态威胁评估框架。同时需强化与云服务提供商的安全协作，构建跨平台的扫描行为特征共享机制，提升对新型隐蔽侦察手段的联合防御能力。

ID: T1595

Sub-techniques: T1595.001, T1595.002, T1595.003

ⓘ

Tactic: 目标侦查

ⓘ

Platforms: PRE

Version: 1.0

Created: 02 October 2020

Last Modified: 08 March 2022

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

协议模拟技术通过精确复制合法协议栈特征，使扫描流量在数据包结构、交互流程等维度与正常业务流量完全一致。例如构造符合 RFC 标准的 HTTP 请求头、模拟 DNS 查询响应机制等，实现扫描行为在协议解析层面的“白名单化”。

数据遮蔽

云服务代理扫描利用云平台内置的 TLS 加密传输通道，使扫描指令和回传数据在传输过程中全程加密。防御方无法直接解析通信内容，仅能获取加密流量的元数据特征，显著降低攻击行为的可检测性。

时空释痕

时间随机化策略将集中式扫描任务分解为长周期、低强度的离散事件，结合云服务的全球节点动态调度，使攻击特征在时间维度被稀释、空间维度被分散。这种时空解耦机制有效破坏传统检测系统的时间窗口分析与 IP 聚类能力。

Procedure Examples

ID	Name	Description
C0030	Triton Safety Instrumented System Attack	In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.^[1]

Mitigations

ID	Mitigation	Description
M1056	Pre-compromise	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

ID	Data Source	Data Component	Detects
DS0029	Network Traffic	Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
		Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

References

FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.