M1056: Pre-compromise

Pre-compromise mitigation is about reducing what adversaries can learn, register, impersonate, or abuse before an intrusion begins. For leaders, its value is early risk reduction: public information hygiene, domain/DNS protection, external attack-surface monitoring, threat intelligence, email authentication, and awareness programs can make reconnaissance and resource development harder before the SOC is handling an incident.

Executive priority

Treat this as a resilience and readiness control family, not a single tool. It supports budget decisions around external attack-surface management, domain protection, email trust controls, threat intelligence, and employee awareness. The key business question is whether the organization can show evidence that exposed assets, leaked public information, spoofable domains, lookalike domains, and pre-attack infrastructure signals are being reviewed and acted on before they become incident drivers.

Technical view

ATT&CK provides no specific detection text for M1056, so validation should focus on whether preventive and monitoring processes exist for the related Resource Development behaviors. The relationship set emphasizes adversary acquisition or compromise of infrastructure, domains, DNS servers, VPS/server/serverless resources, botnets, web services, network devices, and social/email/cloud accounts. SOC, threat intel, and IR teams should confirm that external-facing assets, domain/DNS changes, brand/domain abuse, email authentication posture, exposed services, and relevant threat-intelligence indicators are visible, triaged, and linked to escalation playbooks.

Likely telemetry

Public web, job posting, social media, and other OSINT exposure review records
External attack-surface monitoring results from internet-facing asset discovery and scanning
External vulnerability scan findings and remediation status
DNS, registrar, WHOIS/privacy, DNSSEC, and domain-change records
Lookalike domain, domain hijacking, and brand-abuse monitoring alerts

Detection direction

Do not assume conventional endpoint or network detection will cover this mitigation area; much of the activity occurs before compromise and outside owned infrastructure.
Validate alerting and review workflows for newly exposed services, vulnerable internet-facing assets, suspicious domain registrations, DNS changes, and email authentication failures.
Tune external monitoring to reduce noise from benign internet scanning and legitimate business-created domains while preserving escalation paths for high-risk findings.
Use the relationship context to prioritize monitoring around domains, DNS, VPS/server/serverless infrastructure, web services, botnets, network devices, and social/email/cloud accounts used for targeting preparation.
Confirm that threat-intelligence findings are operationalized into SOC watchlists, blocking decisions, IR leads, or risk-acceptance records rather than remaining standalone reports.

Mitigation priorities

Start with information exposure reduction: regularly review and sanitize public websites, job postings, social media, and other externally visible data.
Protect domain and DNS infrastructure through DNSSEC where appropriate, WHOIS privacy, registrar governance, and monitoring for hijacking or lookalike domains.
Maintain external attack-surface discovery and vulnerability scanning for internet-facing assets, with ownership and remediation tracking.
Use threat intelligence to watch for adversary infrastructure, tools, and activity relevant to the organization’s exposed footprint and brand.
Strengthen content and email protections, including SPF, DKIM, and DMARC policies to reduce spoofing risk.

Analyst notes and limits

M1056 is a broad mitigation that maps to many Resource Development techniques, especially infrastructure and account preparation. Its decision value is in governance and evidence: who owns public exposure, who owns domains/DNS, who reviews external findings, and how pre-compromise intelligence becomes action.

The supplied ATT&CK object does not specify platforms, tactics for the mitigation itself, or official detection guidance. Local asset inventory, domain ownership, cloud usage, public exposure, and monitoring capabilities are required to assess actual coverage.

Official MITRE ATT&CK definition

Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 80 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1595	Active Scanning	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1591	Gather Victim Org Information	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1585.003	Cloud Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1588.006	Vulnerabilities Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1588.007	Artificial Intelligence Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1588.004	Digital Certificates Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1583.002	DNS Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1583.004	Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1683.002	Audio-Visual Content Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Enterprise	T1587.002	Code Signing Certificates Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1590.006	Network Security Appliances Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1590.003	Network Trust Dependencies Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1596.001	DNS/Passive DNS Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1587	Develop Capabilities	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1584.004	Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1589.001	Credentials Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1592.002	Software Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1588.002	Tool Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1584.001	Domains Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1595.003	Wordlist Scanning Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1683	Generate Content	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Enterprise	T1584.007	Serverless Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1591.003	Identify Business Tempo Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1683.001	Written Content Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Enterprise	T1588.003	Code Signing Certificates Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1589	Gather Victim Identity Information	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1596	Search Open Technical Databases	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1585	Establish Accounts	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1590.005	IP Addresses Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1586.001	Social Media Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1589.003	Employee Names Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1594	Search Victim-Owned Websites	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1682	Query Public AI Services	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Enterprise	T1608.006	SEO Poisoning Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1587.003	Digital Certificates Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1597.001	Threat Intel Vendors Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1585.001	Social Media Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1589.002	Email Addresses Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1593.002	Search Engines Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1583.007	Serverless Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1587.001	Malware Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1608.001	Upload Malware Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1586.002	Email Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1590	Gather Victim Network Information	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1681	Search Threat Vendor Data	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.
Enterprise	T1608.004	Drive-by Target Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1583.005	Botnet Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1596.004	CDNs Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1597	Search Closed Sources	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1591.001	Determine Physical Locations Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1583.006	Web Services Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1584.005	Botnet Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1595.001	Scanning IP Blocks Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1584.003	Virtual Private Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1597.002	Purchase Technical Data Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1592.004	Client Configurations Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1592	Gather Victim Host Information	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1585.002	Email Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1595.002	Vulnerability Scanning Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1583	Acquire Infrastructure	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1591.002	Business Relationships Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1592.001	Hardware Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1584.002	DNS Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1584.006	Web Services Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1590.004	Network Topology Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1586.003	Cloud Accounts Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1583.001	Domains Sub-technique	Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1590.001	Domain Properties Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1608.003	Install Digital Certificate Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1583.003	Virtual Private Server Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1587.004	Exploits Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1588.001	Malware Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1586	Compromise Accounts	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1588	Obtain Capabilities	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1596.003	Digital Certificates Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1592.003	Firmware Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1583.008	Malvertising Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should be focused on initial access activities, such as drive by compromise where ad blocking adblockers can help prevent malicious code from executing.
Enterprise	T1608.005	Link Target Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Enterprise	T1596.002	WHOIS Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
Enterprise	T1588.005	Exploits Sub-technique	This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 19, 2020, 14:57 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 1a6993b05ca655fc...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`1a6993b05ca6…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack M1056
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams