T1593.002: Search Engines
Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).[1][2]
Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Valid Accounts or Phishing).
Analyst context for executives and security teams
Search Engines (T1593.002) matters because adversaries can use ordinary public search results to find information that helps them target an organization before any intrusion occurs. The business issue is not the search engine itself; it is whether sensitive operational, network, credential, document, or organizational details are publicly indexed and easy to discover.
Executive priority
Treat this as a pre-compromise exposure-management issue. Leaders should ask whether the organization can prove what sensitive information is publicly searchable, who owns remediation, and how findings feed incident response, vulnerability prioritization, identity risk, and audit evidence. This is especially relevant because ATT&CK links the behavior to reconnaissance that may enable phishing, valid-account abuse, account compromise, or further open-source reconnaissance.
Technical view
This is a PRE-platform reconnaissance sub-technique under Search Open Websites/Domains. SOC, threat intelligence, and exposure-management teams should validate whether public search results reveal sensitive business, network, credential, or document information. Because MITRE provides no official detection text for this object, detection should be framed as external monitoring and validation rather than endpoint or network detection. The related DET0811 detection strategy indicates this behavior can be addressed through a detection strategy, but local implementation details must be defined by the defender.
Likely telemetry
- Publicly indexed web pages and documents associated with the organization’s domains
- External attack surface and domain inventory results
- Search result monitoring for organization names, domains, document types, and sensitive business terms
- Public leak or credential exposure monitoring results
- Web publishing, content management, and document repository audit records
Detection direction
- Validate whether the organization routinely searches for publicly indexed sensitive information tied to owned domains, brands, subsidiaries, and exposed documents.
- Prioritize findings that reveal credentials, network details, internal hostnames, sensitive files, or information that could support phishing or valid-account abuse.
- Expect limited internal telemetry because the adversary activity occurs through third-party search engines before compromise.
- Tune workflows to distinguish benign public information from material exposure requiring remediation or incident response review.
- Use relationship context to connect findings to adjacent risks: phishing for information, search of open technical databases, establishing or compromising accounts, valid accounts, and phishing.
Mitigation priorities
- Apply pre-compromise controls consistent with M1056 by reducing information that can help adversaries during reconnaissance.
- Establish ownership for public content review before publication, especially documents and pages that may expose sensitive operational details.
- Remove or restrict sensitive indexed content and preserve evidence for compliance and incident-response records.
- Feed exposed credential or account-related findings into identity and access management workflows for validation and remediation.
- Repeat external exposure reviews after major website changes, acquisitions, cloud migrations, or new public business initiatives.
Analyst notes and limits
The supplied relationship context includes use by campaign C0040 APT41 DUST and group G0094 Kimsuky, so defenders can use this technique in threat-informed assessments. That relationship should not be interpreted as evidence that those actors are targeting a specific organization. The most useful defensive value is confirming what the public internet already reveals and whether remediation is governed.
MITRE does not provide official detection guidance for this object, and search activity occurs outside the defender’s environment. Local conclusions require organization-specific evidence from public search results, external exposure monitoring, content owners, and identity/security operations workflows.
Search Engines
Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).[1][2]
Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Valid Accounts or Phishing).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1593 | Search Open Websites/Domains | This object subtechnique of Search Open Websites/Domains. |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6fd265d0524e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecurityTrails Google Hacking
Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024.
Open source URL -
[2]
ExploitDB GoogleHacking
Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.
Open source URL -
[3]
mitre-attack T1593.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.