Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0376: Behavioral Detection Strategy for Network Service Discovery Across Platforms

DET0376 is a MITRE detection strategy for identifying behavior associated with Network Service Discovery. For leaders, the value is not the scan itself; it...

EnterpriseDET0376Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0376 is a MITRE detection strategy for identifying behavior associated with Network Service Discovery. For leaders, the value is not the scan itself; it is that service discovery can reveal where an intruder is mapping internal systems, cloud hosts, or infrastructure before choosing what to target next. Because the detection strategy object has no official detection text and no platforms listed on the strategy itself, teams should treat it as a validation prompt rather than a ready-made analytic.

Executive priority

Prioritize this as a visibility and resilience question: can the organization prove it would notice unusual discovery of services across environments where T1046 is relevant, including Linux, macOS, IaaS, and containers? This matters for incident triage, vulnerability prioritization, and audit evidence because service discovery may expose vulnerable or unexpected services that affect business continuity and response decisions.

Technical view

This strategy detects ATT&CK technique T1046, Network Service Discovery, under the Discovery tactic. SOC and detection teams should validate whether they can correlate network-level evidence of service enumeration with endpoint or workload activity that initiated it, especially in the related platforms supplied by ATT&CK: Containers, IaaS, Linux, and macOS. Because the official detection field is not provided, any implementation should be locally defined, baselined, and tested against approved administrative scanning, vulnerability management activity, and normal service inventory processes.

Likely telemetry

  • Network flow or connection metadata showing many connection attempts across hosts, ports, or services
  • Firewall, security group, or network access logs from IaaS and internal network segments
  • Endpoint process execution telemetry on Linux and macOS for tools initiating network connections
  • Container or workload network telemetry where containerized systems can initiate scans
  • Vulnerability scanner and asset inventory logs to distinguish authorized scanning from suspicious discovery

Detection direction

  • Validate coverage for the related ATT&CK technique T1046 rather than assuming DET0376 provides a complete analytic, because no official detection text is supplied.
  • Tune for patterns inconsistent with the source asset’s role, such as broad service enumeration from user workstations, workloads, or containers that do not normally perform discovery.
  • Correlate network activity with initiating process or workload identity where available to reduce false positives from approved vulnerability scanners and inventory tools.
  • Maintain allowlists or expected baselines for sanctioned scanning infrastructure, but review exceptions regularly so compromised administrative systems do not become blind spots.
  • Check cloud and container logging separately; traditional perimeter telemetry may miss discovery between cloud hosts or inside workload networks.

Mitigation priorities

  • Establish an accurate inventory of authorized scanners, management systems, exposed services, and normal discovery patterns.
  • Ensure network, endpoint, cloud, and container telemetry needed to investigate service discovery is retained and searchable.
  • Segment networks and restrict unnecessary service exposure so discovery produces less useful targeting information.
  • Integrate detection review with vulnerability management so newly discovered or unexpected services are triaged quickly.
  • Document detection assumptions and evidence sources for incident response and compliance readiness.
Analyst notes and limits

The supplied object is a detection strategy with external ID DET0376 and a relationship indicating it detects T1046, Network Service Discovery. The strategy itself does not list platforms, tactics, aliases, labels, official description, or official detection content. The practical guidance above is therefore anchored to the relationship context for T1046 and should be validated against local architecture and logging reality.

This take does not assert active exploitation, actor use, or guaranteed coverage. MITRE did not provide official detection logic for this object in the supplied fields, and the related technique description is truncated. Local baselines, authorized scanning processes, and environment-specific telemetry are required before operationalizing detections.

Official MITRE ATT&CK definition

Behavioral Detection Strategy for Network Service Discovery Across Platforms

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1046 Network Service Discovery This object detects Network Service Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1046: Network Service Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3006f8aa715c3e49...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3006f8aa715c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0376
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use