DET0858: Detection of Scan Databases
This detection strategy is meant to address reconnaissance in which an adversary uses public Internet scan databases to learn about a potential victim’s ex...
Analyst context for executives and security teams
This detection strategy is meant to address reconnaissance in which an adversary uses public Internet scan databases to learn about a potential victim’s exposed assets, such as IPs, hostnames, ports, certificates, or banners. For leaders, the practical issue is exposure awareness: if defenders do not know what public scan data reveals about them, attackers may be able to plan targeting before any internal telemetry exists.
Executive priority
Prioritize this as an external exposure and readiness question rather than a traditional endpoint detection problem. Security leaders should ask whether the organization regularly reviews what public scan databases show about its Internet-facing footprint, whether that review informs vulnerability prioritization and incident preparation, and whether evidence can support audit or risk discussions about externally visible services.
Technical view
ATT&CK links DET0858 to T1596.005, Scan Databases, under reconnaissance with PRE platform context. Because the supplied ATT&CK object has no official detection text, no listed platforms, and no description, SOC and detection teams should treat it as a validation prompt: confirm whether external attack surface monitoring, certificate/hostname inventory, exposed service inventory, and vulnerability management workflows can identify when public scan data reveals unexpected or risky exposure. This behavior may not generate internal host logs because it can occur entirely through third-party public data sources.
Likely telemetry
- External attack surface inventory and change history
- Publicly visible DNS, hostname, IP address, port, service banner, and certificate data
- Vulnerability management records for Internet-facing assets
- Cloud and infrastructure asset inventories where they define public exposure
- SOC case notes or intelligence reports documenting externally visible exposure
Detection direction
- Validate whether defenders can compare public scan database findings against the approved Internet-facing asset inventory.
- Tune review processes to flag unknown hosts, unexpected open ports, sensitive service banners, stale certificates, or exposed services not tied to an owner.
- Account for the blind spot that adversary searches of public scan databases may not touch organizational infrastructure and therefore may not appear in internal network, endpoint, or identity logs.
- Use relationship context to focus detection engineering on reconnaissance-driven exposure discovery, not post-compromise activity.
Mitigation priorities
- Maintain an authoritative inventory of Internet-facing assets and owners.
- Continuously reconcile public exposure data with approved business services.
- Prioritize remediation of unexpected exposed services, risky banners, unnecessary ports, and unmanaged assets.
- Integrate exposure findings into vulnerability management, incident response preparation, and compliance evidence where applicable.
Analyst notes and limits
The supplied ATT&CK detection strategy is sparse: it provides the object identity and its relationship to T1596.005 but no official description, detection logic, tactics, or platforms for DET0858 itself. The related technique description supports external reconnaissance framing and the need to manage publicly visible asset data.
This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection. Local asset inventory quality, cloud configuration data, and external exposure monitoring determine how actionable this strategy is in a specific environment.
Detection of Scan Databases
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1596.005 | Scan Databases Sub-technique | This object detects Scan Databases. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a2c784a1bf8d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0858Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.