1. Home
  2. ATT&CK Techniques
  3. T1597
  4. T1597.002
Reconnaissance

T1597.002: Purchase Technical Data

Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases,...

T1597.002 · Sub-technique ·1 platforms ·1 groups

Description

Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.

Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Threat Groups (1)

IDGroupContext
G1004LAPSUS$[LAPSUS$](https://attack.mitre.org/groups/G1004) has purchased credentials and session tokens from criminal underground forums.(Citation: MSTIC DEV-05...

References

Frequently Asked Questions

What is T1597.002 (Purchase Technical Data)?

T1597.002 is a MITRE ATT&CK technique named 'Purchase Technical Data'. It belongs to the Reconnaissance tactic(s). Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases,...

How can T1597.002 be detected?

Detection of T1597.002 (Purchase Technical Data) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1597.002?

There are 1 documented mitigations for T1597.002. Key mitigations include: Pre-compromise.

Which threat groups use T1597.002?

Known threat groups using T1597.002 include: LAPSUS$.