1. Home
  2. ATT&CK Techniques
  3. T1596
  4. T1596.005
Reconnaissance

T1596.005: Scan Databases

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys,...

T1596.005 · Sub-technique ·1 platforms ·2 groups

Description

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)

Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Threat Groups (2)

IDGroupContext
G0096APT41[APT41](https://attack.mitre.org/groups/G0096) uses the Chinese website fofa.su, similar to the Shodan scanning service, for passive scanning of victi...
G1017Volt Typhoon[Volt Typhoon](https://attack.mitre.org/groups/G1017) has used FOFA, Shodan, and Censys to search for exposed victim infrastructure.(Citation: CISA AA...

References

Frequently Asked Questions

What is T1596.005 (Scan Databases)?

T1596.005 is a MITRE ATT&CK technique named 'Scan Databases'. It belongs to the Reconnaissance tactic(s). Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys,...

How can T1596.005 be detected?

Detection of T1596.005 (Scan Databases) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1596.005?

There are 1 documented mitigations for T1596.005. Key mitigations include: Pre-compromise.

Which threat groups use T1596.005?

Known threat groups using T1596.005 include: APT41, Volt Typhoon.