Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0860: Detection of Search Open Technical Databases

DET0860 is a detection strategy for recognizing activity related to T1596, Search Open Technical Databases: adversaries researching public technical source...

EnterpriseDET0860Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0860 is a detection strategy for recognizing activity related to T1596, Search Open Technical Databases: adversaries researching public technical sources such as domain, certificate, passive DNS, or internet-scan data before targeting an organization. The business significance is that much of this reconnaissance happens outside the enterprise perimeter, so traditional SOC visibility may be weak. Leaders should treat this as an exposure-management and intelligence problem as much as a detection problem.

Executive priority

Prioritize this where public asset metadata, certificates, domains, and internet-facing services are material to business continuity or audit obligations. The key executive question is not “Can we detect every search?” but “Do we know what public technical databases reveal about us, and can we reduce or monitor that exposure before it informs targeting?” This supports vulnerability prioritization, incident scoping, compliance evidence for asset governance, and readiness for pre-incident reconnaissance findings.

Technical view

The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1596, a PRE-platform reconnaissance technique. SOC and detection teams should validate whether they have any visibility into organizational systems or accounts querying public technical databases, while recognizing that adversary searches from external infrastructure will usually not be directly observable. Defensive validation should focus on public-exposure intelligence: domain and certificate records, passive DNS, internet-scan artifacts, and other open technical sources that reveal infrastructure relationships.

Likely telemetry

  • Public asset inventory and external attack surface management findings
  • Domain registration, WHOIS, DNS, and passive DNS records for organization-owned assets
  • Certificate transparency and certificate lookup data for organization-related domains
  • Internet-facing service exposure and public scan/index observations
  • Proxy, DNS, or web access logs showing internal users or systems querying public technical databases, where collected

Detection direction

  • Treat this as limited-visibility reconnaissance detection: many searches occur entirely outside the defender’s logging boundary.
  • Validate whether monitoring covers the same categories of public technical data described by T1596: domains, certificates, passive DNS, and public network artifacts.
  • Tune internal query detections carefully because security teams, IT administrators, researchers, and vendors may legitimately use these databases.
  • Correlate discoveries of newly exposed domains, certificates, or services with change records to separate approved infrastructure from unmanaged or suspicious exposure.
  • Use this strategy to inform detection engineering requirements rather than claiming endpoint, cloud, or network coverage, since the object does not specify platforms or official analytics.

Mitigation priorities

  • Maintain an authoritative inventory of domains, certificates, DNS records, and internet-facing services.
  • Reduce unnecessary public technical metadata and retire stale or unmanaged assets where business requirements allow.
  • Govern certificate issuance, domain registration, and DNS changes through reviewable processes that produce audit evidence.
  • Use external exposure monitoring to identify what an adversary could learn from open technical databases.
  • Feed exposure findings into vulnerability management and incident response playbooks so public reconnaissance indicators can influence prioritization and scoping.
Analyst notes and limits

This take is based on DET0860 and its relationship to T1596 Search Open Technical Databases. Because the detection strategy object lacks an official description, official detection logic, tactics, and platforms, recommendations are framed as validation and exposure-monitoring guidance rather than specific detections.

The supplied ATT&CK fields do not provide concrete analytics, data sources, platforms, or mitigation mappings. Local environment evidence is required to determine whether relevant public exposure monitoring, DNS/certificate governance, proxy/DNS logging, or threat intelligence coverage exists.

Official MITRE ATT&CK definition

Detection of Search Open Technical Databases

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1596 Search Open Technical Databases This object detects Search Open Technical Databases.
Relationship explorer

All related ATT&CK context

detects · Technique T1596: Search Open Technical Databases Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
55d80b575757e6a3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 55d80b575757…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0860
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use