Reconnaissance, Tactic TA0043 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Reconnaissance, Tactic TA0043 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/tactics/enterprise">Tactics</a></li> <li class="breadcrumb-item"><a href="/tactics/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Reconnaissance</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Reconnaissance </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The adversary is trying to gather information they can use to plan future operations.</p><p>Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="card-data"><span class="h5 card-title">ID:</span> TA0043</div> <div class="card-data"><span class="h5 card-title">Created: </span>02 October 2020</div> <div class="card-data"><span class="h5 card-title">Last Modified: </span>18 October 2020</div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of TA0043" href="/versions/v16/tactics/TA0043/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of TA0043" href="/versions/v16/tactics/TA0043/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="techniques">Techniques</h2><h6 class="table-object-count">Techniques: 10</h6> <table class="table-techniques"> <thead> <tr> <td colspan="2">ID</td> <td>Name</td> <td>Description</td> </tr> </thead> <tbody> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1595"> T1595 </a> </td> <td> <a href="/techniques/T1595"> Active Scanning </a> </td> <td> Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1595/001"> .001 </a> </td> <td> <a href="/techniques/T1595/001"> Scanning IP Blocks </a> </td> <td> Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1595/002"> .002 </a> </td> <td> <a href="/techniques/T1595/002"> Vulnerability Scanning </a> </td> <td> Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1595/003"> .003 </a> </td> <td> <a href="/techniques/T1595/003"> Wordlist Scanning </a> </td> <td> Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While this technique employs similar methods to <a href="/techniques/T1110">Brute Force</a>, its goal is the identification of content and infrastructure rather than the discovery of valid credentials. Wordlists used in these scans may contain generic, commonly used names and file extensions or terms specific to a particular software. Adversaries may also create custom, target-specific wordlists using data gathered from other Reconnaissance techniques (ex: <a href="/techniques/T1591">Gather Victim Org Information</a>, or <a href="/techniques/T1594">Search Victim-Owned Websites</a>). </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1592"> T1592 </a> </td> <td> <a href="/techniques/T1592"> Gather Victim Host Information </a> </td> <td> Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1592/001"> .001 </a> </td> <td> <a href="/techniques/T1592/001"> Hardware </a> </td> <td> Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1592/002"> .002 </a> </td> <td> <a href="/techniques/T1592/002"> Software </a> </td> <td> Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1592/003"> .003 </a> </td> <td> <a href="/techniques/T1592/003"> Firmware </a> </td> <td> Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1592/004"> .004 </a> </td> <td> <a href="/techniques/T1592/004"> Client Configurations </a> </td> <td> Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1589"> T1589 </a> </td> <td> <a href="/techniques/T1589"> Gather Victim Identity Information </a> </td> <td> Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1589/001"> .001 </a> </td> <td> <a href="/techniques/T1589/001"> Credentials </a> </td> <td> Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1589/002"> .002 </a> </td> <td> <a href="/techniques/T1589/002"> Email Addresses </a> </td> <td> Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1589/003"> .003 </a> </td> <td> <a href="/techniques/T1589/003"> Employee Names </a> </td> <td> Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1590"> T1590 </a> </td> <td> <a href="/techniques/T1590"> Gather Victim Network Information </a> </td> <td> Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/001"> .001 </a> </td> <td> <a href="/techniques/T1590/001"> Domain Properties </a> </td> <td> Adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/002"> .002 </a> </td> <td> <a href="/techniques/T1590/002"> DNS </a> </td> <td> Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target鈥檚 subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/003"> .003 </a> </td> <td> <a href="/techniques/T1590/003"> Network Trust Dependencies </a> </td> <td> Adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/004"> .004 </a> </td> <td> <a href="/techniques/T1590/004"> Network Topology </a> </td> <td> Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/005"> .005 </a> </td> <td> <a href="/techniques/T1590/005"> IP Addresses </a> </td> <td> Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1590/006"> .006 </a> </td> <td> <a href="/techniques/T1590/006"> Network Security Appliances </a> </td> <td> Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1591"> T1591 </a> </td> <td> <a href="/techniques/T1591"> Gather Victim Org Information </a> </td> <td> Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1591/001"> .001 </a> </td> <td> <a href="/techniques/T1591/001"> Determine Physical Locations </a> </td> <td> Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1591/002"> .002 </a> </td> <td> <a href="/techniques/T1591/002"> Business Relationships </a> </td> <td> Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization鈥檚 business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim鈥檚 hardware and software resources. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1591/003"> .003 </a> </td> <td> <a href="/techniques/T1591/003"> Identify Business Tempo </a> </td> <td> Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization鈥檚 business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim鈥檚 hardware and software resources. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1591/004"> .004 </a> </td> <td> <a href="/techniques/T1591/004"> Identify Roles </a> </td> <td> Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1598"> T1598 </a> </td> <td> <a href="/techniques/T1598"> Phishing for Information </a> </td> <td> Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from <a href="/techniques/T1566">Phishing</a> in that the objective is gathering data from the victim rather than executing malicious code. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1598/001"> .001 </a> </td> <td> <a href="/techniques/T1598/001"> Spearphishing Service </a> </td> <td> Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/techniques/T1585">Establish Accounts</a> or <a href="/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1598/002"> .002 </a> </td> <td> <a href="/techniques/T1598/002"> Spearphishing Attachment </a> </td> <td> Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/techniques/T1585">Establish Accounts</a> or <a href="/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1598/003"> .003 </a> </td> <td> <a href="/techniques/T1598/003"> Spearphishing Link </a> </td> <td> Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/techniques/T1585">Establish Accounts</a> or <a href="/techniques/T1586">Compromise Accounts</a>) and/or sending multiple, seemingly urgent messages. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1598/004"> .004 </a> </td> <td> <a href="/techniques/T1598/004"> Spearphishing Voice </a> </td> <td> Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: <a href="/techniques/T1656">Impersonation</a>) and/or creating a sense of urgency or alarm for the recipient. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1597"> T1597 </a> </td> <td> <a href="/techniques/T1597"> Search Closed Sources </a> </td> <td> Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1597/001"> .001 </a> </td> <td> <a href="/techniques/T1597/001"> Threat Intel Vendors </a> </td> <td> Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1597/002"> .002 </a> </td> <td> <a href="/techniques/T1597/002"> Purchase Technical Data </a> </td> <td> Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1596"> T1596 </a> </td> <td> <a href="/techniques/T1596"> Search Open Technical Databases </a> </td> <td> Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1596/001"> .001 </a> </td> <td> <a href="/techniques/T1596/001"> DNS/Passive DNS </a> </td> <td> Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target鈥檚 subdomains, mail servers, and other hosts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1596/002"> .002 </a> </td> <td> <a href="/techniques/T1596/002"> WHOIS </a> </td> <td> Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1596/003"> .003 </a> </td> <td> <a href="/techniques/T1596/003"> Digital Certificates </a> </td> <td> Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1596/004"> .004 </a> </td> <td> <a href="/techniques/T1596/004"> CDNs </a> </td> <td> Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor鈥檚 geographical region. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1596/005"> .005 </a> </td> <td> <a href="/techniques/T1596/005"> Scan Databases </a> </td> <td> Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1593"> T1593 </a> </td> <td> <a href="/techniques/T1593"> Search Open Websites/Domains </a> </td> <td> Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1593/001"> .001 </a> </td> <td> <a href="/techniques/T1593/001"> Social Media </a> </td> <td> Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1593/002"> .002 </a> </td> <td> <a href="/techniques/T1593/002"> Search Engines </a> </td> <td> Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes). </td> </tr> <tr class="sub technique"> <td></td> <td> <a href="/techniques/T1593/003"> .003 </a> </td> <td> <a href="/techniques/T1593/003"> Code Repositories </a> </td> <td> Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. </td> </tr> <tr class="technique"> <td colspan="2"> <a href="/techniques/T1594"> T1594 </a> </td> <td> <a href="/techniques/T1594"> Search Victim-Owned Websites </a> </td> <td> Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: <a href="/techniques/T1589/002">Email Addresses</a>). These sites may also have details highlighting business operations and relationships. </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Reconnaissance, Tactic TA0043 - Enterprise | MITRE ATT&CK®