Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1596.002: WHOIS

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.[1]

Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

EnterpriseT1596.002Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

WHOIS reconnaissance matters because it turns normal public registration data into targeting intelligence. Domain ownership details, assigned IP blocks, contact information, and DNS nameservers can help an adversary decide where to scan next, who to contact, what infrastructure to prepare, or which remote access and trusted-relationship paths may be worth probing.

Executive priority

Treat this as a pre-compromise exposure-management issue, not just a SOC alerting problem. Leaders should ask whether public domain and Internet-resource records reveal unnecessary contacts, infrastructure patterns, or third-party relationships that could support later reconnaissance, phishing for information, infrastructure setup, or initial-access planning. The business value is in reducing avoidable public clues and preserving evidence that the organization reviews external exposure before incidents occur.

Technical view

T1596.002 is a PRE-platform reconnaissance sub-technique under Search Open Technical Databases. MITRE provides no official detection text, but the relationship to DET0832 indicates a detection strategy exists for WHOIS. SOC and detection teams should validate what can realistically be observed: the organization may not see third-party WHOIS lookups directly, so coverage often depends on monitoring public registration data, registrar/RIR change history where available, and correlating exposed WHOIS artifacts with later active scanning, phishing-for-information, infrastructure acquisition/compromise, external remote services, or trusted-relationship activity referenced by ATT&CK.

Likely telemetry

  • Public WHOIS records for organization-owned domains and assigned Internet resources
  • Registrar or RIR account records and change/audit history where available
  • Published domain contact fields, DNS nameservers, and assigned IP block information
  • External exposure inventory tying domains, nameservers, and IP ranges to business owners
  • Reconnaissance monitoring or threat-intelligence observations related to lookups of organization assets, where available

Detection direction

  • Do not assume direct visibility into adversary WHOIS queries; validate whether any registrar, RIR, or external monitoring source provides useful evidence.
  • Baseline the organization’s own WHOIS-exposed domains, IP blocks, contacts, and nameservers so unexpected or overly revealing records can be identified.
  • Correlate WHOIS-exposed assets with subsequent reconnaissance or initial-access signals, especially active scanning, phishing-for-information themes, external remote service probing, and trusted-relationship context.
  • Tune detections to avoid treating all WHOIS access as suspicious; WHOIS is public and commonly used for legitimate administration, research, and troubleshooting.
  • Use DET0832 as the ATT&CK-linked detection-strategy reference, but require local telemetry mapping before claiming coverage.

Mitigation priorities

  • Apply M1056 Pre-compromise controls by reducing unnecessary public information before adversaries use it for targeting.
  • Review WHOIS records for exposed personal contacts, infrastructure naming patterns, DNS nameserver details, and assigned IP block information that are not required for business or registration purposes.
  • Maintain ownership and change-control over public domain and Internet-resource records so exposure reviews can be repeated and evidenced for audit or incident readiness.
  • Use the WHOIS exposure review to prioritize hardening of related externally visible services and relationships that could be used after reconnaissance.
  • Include WHOIS and other open technical database exposure in routine attack-surface management and incident-response preparation.
Analyst notes and limits

This technique is most useful as an exposure and readiness lens. The practical question is not whether WHOIS exists, but whether the organization knows what it reveals and whether that information aligns with its external-attack-surface and incident-response assumptions.

MITRE does not provide official detection guidance for this object, and the supplied relationship context does not include DET0832 details. WHOIS lookups are public and often not directly observable by the target organization, so local registrar/RIR access, external monitoring, and asset-inventory evidence are required before asserting detection coverage.

Official MITRE ATT&CK definition

WHOIS

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.[1]

Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1596 Search Open Technical Databases This object subtechnique of Search Open Technical Databases.
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0832: Detection of WHOIS Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1596: Search Open Technical Databases Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
16c3d95fe76721d6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 16c3d95fe767…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    WHOIS

    NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    mitre-attack T1596.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use