Description
Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)
Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).
Platforms
Sub-Techniques (3)
Mitigations (2)
AuditM1047
Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.
Application Developer GuidanceM1013
Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used open-source research to identify information about victims to use in targeting to incl... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has conducted pre-compromise web searches for victim information.(Citation: CISA AA24-038A PRC C... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has utilized open-source indicator of compromise repositories to determine their exposur... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has gathered information on Colombian financial institutions, including Bancolombia, BBVA, Banco Caj... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including runn... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has used open-source research to identify information about victims to use in targeting.(Citat... |
References
- Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024.
- Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.
- Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.
Frequently Asked Questions
What is T1593 (Search Open Websites/Domains)?
T1593 is a MITRE ATT&CK technique named 'Search Open Websites/Domains'. It belongs to the Reconnaissance tactic(s). Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, suc...
How can T1593 be detected?
Detection of T1593 (Search Open Websites/Domains) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1593?
There are 2 documented mitigations for T1593. Key mitigations include: Audit, Application Developer Guidance.
Which threat groups use T1593?
Known threat groups using T1593 include: Mustang Panda, Volt Typhoon, Contagious Interview, APT-C-36, Sandworm Team, Star Blizzard.