DET0811: Detection of Search Engines
DET0811 is a detection strategy for reconnaissance that uses public search engines to find information about a victim. Its business relevance is that the a...
Analyst context for executives and security teams
DET0811 is a detection strategy for reconnaissance that uses public search engines to find information about a victim. Its business relevance is that the activity often happens before intrusion and outside enterprise-controlled infrastructure, so normal endpoint or network monitoring may not show it. The practical question is whether the organization knows what sensitive, indexed, or accidentally exposed information is visible through public search and can preserve enough evidence to support risk reduction and incident decisions.
Executive priority
Treat this as an external exposure and readiness issue, not a traditional malware alert. Leaders should ask whether public-facing content, documents, metadata, and indexed sites are reviewed as part of security governance, vulnerability management, and incident preparation. Priority should be based on what search-indexed information could enable targeting, social engineering, credential discovery, or attack planning, while recognizing that ATT&CK does not provide a specific detection method for this object.
Technical view
The relationship context maps DET0811 to T1593.002 Search Engines under reconnaissance on the PRE platform. SOC and detection teams should validate whether they have processes and evidence sources for identifying public search exposure, rather than expecting host telemetry to observe the adversary's search activity. Useful validation includes reviewing indexed public assets, search result visibility for sensitive file types or keywords, web server referrer/access evidence where available, and exposure-management findings tied back to asset ownership and remediation workflow.
Likely telemetry
- Public search engine results for organizational domains, brands, public IP ranges, and exposed web content
- External attack surface or exposure-management inventories showing indexed assets and public pages
- Web server, CDN, WAF, or reverse proxy logs that may show crawler activity or search-engine referrers
- Records of public documents, metadata, cached pages, and downloadable files hosted on organization-controlled sites
- Asset ownership, content publishing, and takedown/remediation records for exposed material
Detection direction
- Validate that monitoring covers public exposure, not only internal endpoint and network events, because this related technique occurs in the PRE reconnaissance phase.
- Tune reviews toward business-sensitive exposure: confidential documents, unintended public directories, metadata, credential-like material, technology fingerprints, and pages that reveal operational details.
- Separate normal search-engine crawling and legitimate public discoverability from risky exposure; the issue is usually what is indexed, not that a crawler accessed it.
- Correlate findings with asset ownership and remediation status so alerts become actionable for content owners, web teams, and risk owners.
- Use the relationship to T1593.002 as context for threat-informed exposure reviews; do not infer attribution or an active campaign from search visibility alone.
Mitigation priorities
- Maintain an accurate inventory of public web properties and owners before attempting detection at scale.
- Review public content and indexed files for sensitive information and remove or restrict material that should not be public.
- Apply content governance, publishing review, and metadata handling for externally accessible documents and sites.
- Use exposure management and vulnerability management workflows to track search-indexed risks through remediation and evidence collection.
- Prepare incident response procedures for preserving public exposure evidence and coordinating removal, restriction, or takedown when needed.
Analyst notes and limits
This take is based on DET0811 and its relationship to T1593.002 Search Engines. The supplied ATT&CK object has no official description, no official detection text, and no platforms or tactics directly assigned to the detection strategy; the reconnaissance and PRE context comes from the related technique. Detection value is therefore strongest as an external exposure-management control validation rather than a conventional SOC rule.
ATT&CK does not provide a concrete analytic, data source list, platform list, or detection logic for DET0811 in the supplied fields. Local conclusions require organization-specific evidence about public assets, indexed content, logging retention, and content governance. Search visibility alone should not be treated as proof of adversary activity.
Detection of Search Engines
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1593.002 | Search Engines Sub-technique | This object detects Search Engines. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 478fa1551a02… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0811Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.