Description
Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)
Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
Platforms
Sub-Techniques (5)
DNS/Passive DNS
T1596.002WHOIS
T1596.003Digital Certificates
T1596.004CDNs
T1596.005Scan Databases
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used large language models (LLMs) to assist in script development and deployment.(Citation: MSFT-AI... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used LLMs to better understand publicly reported vulnerabilities.(Citation: MSFT-AI)(Citation: Op... |
References
- CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.
- Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
- Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020.
- NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024.
- Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
- SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.
- Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.
Frequently Asked Questions
What is T1596 (Search Open Technical Databases)?
T1596 is a MITRE ATT&CK technique named 'Search Open Technical Databases'. It belongs to the Reconnaissance tactic(s). Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and reposito...
How can T1596 be detected?
Detection of T1596 (Search Open Technical Databases) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1596?
There are 1 documented mitigations for T1596. Key mitigations include: Pre-compromise.
Which threat groups use T1596?
Known threat groups using T1596 include: APT28, Kimsuky.