Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)
Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| action.hacking.variety.Footprinting | Footprinting and fingerprinting | related-to | T1596 | Search Open Technical Databases |
| value_chain.targeting.variety.Organizational Information | Information on an organization such as org chart, technologies in use, financial assets, etc, used to pick them as a target | related-to | T1596 | Search Open Technical Databases |
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1596.004 | CDNs | 2 |
| T1596.001 | DNS/Passive DNS | 2 |
| T1596.003 | Digital Certificates | 2 |
| T1596.005 | Scan Databases | 2 |
| T1596.002 | WHOIS | 2 |