DET0856: Detection of Search Open Websites/Domains
This detection strategy is about recognizing reconnaissance where an adversary uses publicly available websites and domains to learn about a target before...
Analyst context for executives and security teams
This detection strategy is about recognizing reconnaissance where an adversary uses publicly available websites and domains to learn about a target before attempting access. The business issue is that much of this activity happens outside owned infrastructure, so the practical value is not just alerting on an attacker search, but understanding what sensitive operational, identity, hiring, contract, or domain information is publicly exposed and could support targeting.
Executive priority
Treat this as an exposure-management and preparedness question: what could an outsider learn about the organization without touching internal systems? Leaders should ensure public-facing information, domain/web presence, social media, job postings, news, and contract-related material are reviewed as part of security governance, incident readiness, and audit evidence for risk reduction.
Technical view
DET0856 detects ATT&CK technique T1593, Search Open Websites/Domains, under reconnaissance with platform context PRE. Because no official detection logic is supplied, SOC and threat intelligence teams should validate whether they can monitor exposed public information and correlate suspicious interest in owned web properties or domains. Detection should focus on visibility gaps and exposure context rather than assuming direct observation of adversary searches.
Likely telemetry
- Public web and domain inventory records for owned assets
- Search engine indexing and cached-content visibility for owned websites/domains
- Web analytics and access logs for public sites, where available
- Brand, domain, and public content monitoring results
- Public social media, news, hiring, and contract-related postings relevant to the organization
Detection direction
- Validate what public information about the organization is discoverable and whether it supports targeting, credential discovery, impersonation, or operational profiling.
- Tune monitoring around changes to public web/domain content and newly indexed sensitive material rather than treating every search or visit as malicious.
- Account for high false-positive context: customers, applicants, researchers, journalists, partners, and search engines may interact with the same public information.
- Correlate public reconnaissance indicators with later suspicious identity, phishing, domain, or web activity when local telemetry supports it.
- Document blind spots where reconnaissance occurs entirely on third-party sites and cannot be directly observed by the organization.
Mitigation priorities
- Establish governance for reviewing externally published information before and after release.
- Maintain an accurate inventory of public websites, domains, and business-facing pages.
- Reduce unnecessary exposure in hiring, news, social media, and contract-related content where it could aid targeting.
- Review indexed and cached public content for sensitive operational or identity clues.
- Integrate public exposure findings into incident response, threat intelligence, and risk reporting workflows.
Analyst notes and limits
The supplied ATT&CK object has a name, external reference, and relationship to T1593, but no official description or detection text. The strongest defensive use is to frame this as reconnaissance exposure validation and monitoring of publicly available organizational information.
Platforms and tactics are not specified on the detection strategy itself; the related technique provides reconnaissance and PRE context. Specific detections, thresholds, data sources, and control effectiveness must be validated in the local environment.
Detection of Search Open Websites/Domains
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1593 | Search Open Websites/Domains | This object detects Search Open Websites/Domains. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b72ebe6b7c48… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0856Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.