T1593: Search Open Websites/Domains

Search Open Websites/Domains is pre-compromise reconnaissance: an adversary uses public information about an organization to make later targeting more believable or effective. The business issue is not the search itself, which usually happens outside your environment, but what your public footprint gives away: staff roles, business operations, indexed files, exposed technical clues, or public code repository content that can support phishing, account operations, or initial access planning.

Executive priority

Treat this as an exposure-management and readiness question rather than a traditional alerting problem. Leaders should ask whether the organization knows what information is publicly visible, who owns its cleanup, and whether audit evidence exists for recurring review. Priority is higher where public-facing operations, hiring, contracts, social media, or code repositories could reveal details useful for phishing, external remote service targeting, or follow-on reconnaissance.

Technical view

ATT&CK places T1593 in the reconnaissance tactic on the PRE platform, and no official ATT&CK detection text is provided. SOC and IR teams should therefore validate external visibility and downstream indicators rather than expect reliable internal detection of the search activity itself. Use the relationship context to scope reviews across the sub-techniques: Social Media, Search Engines, and Code Repositories. DET0856 is mapped as a detection strategy, while mitigations include Application Developer Guidance and Audit, so practical validation should focus on public content governance, secure development practices for avoiding sensitive data exposure, and repeatable auditing of what is indexed or published.

Likely telemetry

Public website and domain content inventories, including pages, documents, metadata, and business-operation disclosures
Search engine indexed results and cached or discoverable files relevant to the organization
Public social media and announcement content tied to staff, roles, locations, projects, hiring, contracts, or operations
Public code repository activity and repository contents where organizational code or references may appear
Audit records for reviews of public-facing content, web assets, and externally hosted repositories

Detection direction

Do not rely on endpoint or network telemetry alone; the adversary's search may occur entirely outside organizational infrastructure.
Validate whether DET0856-style coverage is based on monitoring public exposure and suspicious discovery patterns rather than guaranteed observation of adversary searches.
Tune reviews around the mapped sub-techniques: social media, search engine indexing, and public code repositories.
Look for sensitive or targeting-useful disclosures, not merely vulnerabilities: names, roles, technologies, business processes, contract details, repository secrets, and indexed files can all affect later attack paths.
Account for false positives and ownership ambiguity: public information is often intentionally published, so detection should distinguish approved communications from unnecessary operational or technical disclosure.

Mitigation priorities

Establish a recurring audit process for public websites, domains, social media content, search engine exposure, and public repositories.
Assign business owners for public-content review so risky disclosures can be corrected without blocking legitimate communications.
Apply application developer guidance and secure SDLC practices to reduce accidental exposure of sensitive details in applications, APIs, documentation, and repositories.
Review code repository governance, including what may be public and how sensitive material is prevented from being published.
Use exposure findings to prioritize hardening of related access paths such as external remote services and phishing-resistant identity controls where local risk supports it.

Analyst notes and limits

The relationship set shows this technique used by several ATT&CK groups, including Sandworm Team, APT-C-36, Mustang Panda, Volt Typhoon, Star Blizzard, and Contagious Interview. That supports the defensive relevance of the behavior, but it does not by itself establish current targeting or exposure for any specific organization. The strongest local evidence will come from the organization’s own public footprint and audit records.

MITRE provides no official detection text for this object, and the technique occurs in the PRE phase, so direct observation is often limited. This take is constrained to the supplied ATT&CK fields, references, and relationships; local asset inventories, public-content reviews, repository data, and threat model context are required to determine actual risk and control coverage.

Official MITRE ATT&CK definition

Search Open Websites/Domains

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.[1][2][3]

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: External Remote Services or Phishing).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 3 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1593.002	Search Engines Sub-technique	Search Engines subtechnique of this object.
Enterprise	T1593.003	Code Repositories Sub-technique	Code Repositories subtechnique of this object.
Enterprise	T1593.001	Social Media Sub-technique	Social Media subtechnique of this object.

Associated objects

Groups, software, and campaigns

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

G1052: Contagious Interview

Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]

G0099: APT-C-36

APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

G1033: Star Blizzard

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0856: Detection of Search Open Websites/Domains Enterprise uses · Group G0129: Mustang Panda Enterprise subtechnique of · Technique T1593.002: Search Engines Enterprise uses · Group G1017: Volt Typhoon Enterprise uses · Group G1052: Contagious Interview Enterprise subtechnique of · Technique T1593.003: Code Repositories Enterprise mitigates · Mitigation M1047: Audit Enterprise uses · Group G0099: APT-C-36 Enterprise subtechnique of · Technique T1593.001: Social Media Enterprise mitigates · Mitigation M1013: Application Developer Guidance Enterprise uses · Group G0034: Sandworm Team Enterprise uses · Group G1033: Star Blizzard Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1013: Application Developer Guidance

Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures: Preventing SQL Injection (Secure Coding Practice):

- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries. - Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.

Cross-Site Scripting (XSS) Mitigation:

- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page. - Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users’ browsers.

Secure API Design:

- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses. - Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.

Static Code Analysis in the Build Pipeline:

- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process. - Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.

Threat Modeling in the Design Phase:

- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design. - Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.

**Tools for Implementation**:

- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code. - Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities. - Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Oct 2, 2020, 16:48 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 8b0f30665d9ad096...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`8b0f30665d9a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Cyware Social Media

Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.
Open source URL
[2]
SecurityTrails Google Hacking

Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024.
Open source URL
[3]
ExploitDB GoogleHacking

Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.
Open source URL
[4]
mitre-attack T1593
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams