Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1596: Search Open Technical Databases

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.[1][2][3][4][5][6][7]

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

EnterpriseT1596TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Search Open Technical Databases matters because much of an organization’s attack surface can be learned without touching its systems. Public DNS, WHOIS, certificate, CDN, and scan databases may reveal domains, IP ranges, hostnames, open services, certificates, and organizational details that help adversaries plan later reconnaissance, resource setup, or initial access attempts.

Executive priority

Treat this as a pre-compromise exposure management issue. Leaders should ask whether the organization knows what public technical databases reveal about it, who owns cleanup of stale or risky exposure, and whether audit or risk evidence can show a repeatable process for reducing externally discoverable information. This is especially relevant to prioritizing external remote service risk, trusted relationship visibility, and incident readiness before an intrusion occurs.

Technical view

ATT&CK lists this as an enterprise reconnaissance technique on the PRE platform, with no official detection text provided. SOC, threat intelligence, and attack surface teams should validate coverage through the related DET0860 detection strategy where available, but should not assume internal telemetry will show the behavior because the research occurs in open sources. Use the sub-technique context to structure reviews: DNS/passive DNS, WHOIS, digital certificates, CDNs, and public scan databases. Correlate findings with downstream risks explicitly referenced by ATT&CK, including phishing for information, open website/domain research, acquiring or compromising infrastructure, external remote services, and trusted relationships.

Likely telemetry

  • External attack surface inventory covering public IPs, domains, subdomains, hostnames, and exposed services
  • DNS and passive DNS records associated with the organization
  • WHOIS and registry data, including assigned IP blocks, contacts, and nameservers where available
  • Public digital certificate and SSL/TLS lookup data tied to organizational names, domains, and hosts
  • CDN configuration and content-hosting exposure visible through public lookup sources

Detection direction

  • Because official ATT&CK detection guidance is not provided, focus on validating a repeatable external exposure monitoring process rather than relying only on SIEM alerts.
  • Tune reviews around the five related sub-techniques: DNS/passive DNS, WHOIS, digital certificates, CDNs, and scan databases.
  • Prioritize findings that create a credible path to ATT&CK-referenced follow-on activity, such as exposed remote services, useful phishing targets, or third-party/trusted relationship clues.
  • Account for false positives and benign visibility: researchers, search engines, registries, certificate services, and scan platforms may observe or publish the same data without malicious intent.
  • Use relationship context carefully: ATT&CK lists APT28 and Kimsuky as groups that use this technique, but that does not by itself prove current targeting of any organization.

Mitigation priorities

  • Apply M1056 Pre-compromise principles: reduce the information and exploitable weaknesses adversaries can identify before an attack begins.
  • Maintain an owner-approved inventory of public domains, DNS records, certificates, CDN usage, and Internet-facing services.
  • Remove or correct stale, unnecessary, misleading, or overly revealing public technical records where business operations allow.
  • Prioritize remediation of externally visible services and artifacts that could support initial access or trusted-relationship abuse.
  • Review public exposure after infrastructure changes, certificate issuance, domain registration, CDN changes, and mergers or third-party onboarding.
Analyst notes and limits

This technique is valuable for defenders because it shifts attention left of the intrusion: the key question is not whether an alert fired, but whether the organization can see what adversaries can learn from public technical sources. The supplied relationships to sub-techniques provide the best organizing model for assessment and detection engineering.

The official ATT&CK object provides no detection text, and the mitigation relationship description is limited. Local conclusions require the organization’s actual public exposure data, asset ownership records, and any implemented DET0860-style monitoring. The listed group relationships show ATT&CK-documented use of the technique, not active exploitation or specific targeting.

Official MITRE ATT&CK definition

Search Open Technical Databases

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.[1][2][3][4][5][6][7]

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1596.003 Digital Certificates Sub-technique Digital Certificates subtechnique of this object.
Enterprise T1596.005 Scan Databases Sub-technique Scan Databases subtechnique of this object.
Enterprise T1596.001 DNS/Passive DNS Sub-technique DNS/Passive DNS subtechnique of this object.
Enterprise T1596.004 CDNs Sub-technique CDNs subtechnique of this object.
Enterprise T1596.002 WHOIS Sub-technique WHOIS subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Relationship explorer

All related ATT&CK context

uses · Group G0007: APT28 Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1596.003: Digital Certificates Enterprise subtechnique of · Technique T1596.005: Scan Databases Enterprise uses · Group G0094: Kimsuky Enterprise subtechnique of · Technique T1596.001: DNS/Passive DNS Enterprise detects · Detection Strategy DET0860: Detection of Search Open Technical Databases Enterprise subtechnique of · Technique T1596.004: CDNs Enterprise subtechnique of · Technique T1596.002: WHOIS Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b91e77a38674a30b...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b91e77a38674…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    WHOIS

    NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    DNS Dumpster

    Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.

    Open source URL
  3. [3]
    Circl Passive DNS

    CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.

    Open source URL
  4. [4]
    Medium SSL Cert

    Jain, M. (2019, September 16). Export & Download — SSL Certificate from Server (Site URL). Retrieved October 20, 2020.

    Open source URL
  5. [5]
    SSLShopper Lookup

    SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020.

    Open source URL
  6. [6]
    DigitalShadows CDN

    Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020.

    Open source URL
  7. [7]
    Shodan

    Shodan. (n.d.). Shodan. Retrieved October 20, 2020.

    Open source URL
  8. [8]
    mitre-attack T1596
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use