T1596.005: Scan Databases
Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.[1]
Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).
Analyst context for executives and security teams
Scan Databases is a reconnaissance behavior where adversaries use public Internet-scan services to learn what an organization exposes: IPs, hostnames, open ports, certificates, and server banners. The business issue is that attackers may not need to touch your network to build a target list; your externally visible footprint may already be indexed for them.
Executive priority
Treat this as an external attack-surface governance issue. Leaders should ask whether the organization knows what public scan databases reveal, whether exposed services map to approved business needs, and whether vulnerability prioritization considers Internet-visible systems first. This matters for resilience, audit evidence, cloud/identity exposure reviews, and incident readiness because reconnaissance findings can guide later initial access paths such as external remote services or public-facing application exploitation.
Technical view
This is a PRE-platform reconnaissance sub-technique under Search Open Technical Databases. MITRE provides no official detection text, but the object is associated with detection strategy DET0858 and mitigation M1056 Pre-compromise. SOC, detection engineering, and IR teams should validate whether they can reproduce an outside-in view of the organization using public scan database artifacts, then compare that view against authoritative asset inventories, cloud inventories, DNS records, certificates, and approved exposure lists. Priority findings include unknown hosts, unexpected open ports, revealing banners, stale certificates, and externally reachable remote access or public application services.
Likely telemetry
- External attack surface inventory and asset ownership records
- Public scan database observations for IPs, hostnames, open ports, certificates, and server banners
- Authoritative DNS, domain, and hostname inventory
- Certificate inventory for Internet-facing services
- Cloud and network inventory for public IP addresses and exposed services
Detection direction
- Do not assume direct visibility into an adversary querying third-party scan databases; focus on detecting and reducing what those databases expose.
- Validate DET0858-style coverage, if implemented, against current public scan results and internal asset inventories.
- Tune detections and reporting around mismatches: unknown Internet-facing hosts, unauthorized ports, unexpected banners, exposed remote services, and public applications without ownership.
- Use relationship context to prioritize findings that could support follow-on reconnaissance, operational resource development, external remote services, or public-facing application exploitation.
- Account for false positives from legitimate scanning, CDN/provider infrastructure, shared hosting, and intentionally public services by requiring ownership and business-approval context.
Mitigation priorities
- Implement pre-compromise controls focused on reducing externally discoverable attack surface.
- Maintain an authoritative inventory of Internet-facing assets across on-premises and cloud environments.
- Limit unnecessary information exposure in service banners, certificates, hostnames, and public service configurations where practical.
- Prioritize remediation of vulnerabilities and risky configurations on assets visible in public scan databases.
- Review externally exposed remote access and public applications for business justification, hardening, monitoring, and ownership.
Analyst notes and limits
Relationship context shows this technique is a sub-technique of T1596 Search Open Technical Databases, is mitigated by M1056 Pre-compromise, and is detected by DET0858. It is also associated in ATT&CK relationships with APT41 DUST, APT41, and Volt Typhoon; this supports threat-informed prioritization but should not be read as evidence of current targeting of any specific organization.
MITRE did not provide official detection guidance for this object. The supplied fields do not establish active exploitation, guaranteed detection coverage, or organization-specific exposure. Local validation requires comparing public scan observations with the organization’s actual asset, cloud, DNS, certificate, and vulnerability data.
Scan Databases
Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.[1]
Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Exploit Public-Facing Application).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1596 | Search Open Technical Databases | This object subtechnique of Search Open Technical Databases. |
Groups, software, and campaigns
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
C0040: APT41 DUST
APT41 DUST was conducted by APT41 from 2023 to July 2024 against entities in Europe, Asia, and the Middle East. APT41 DUST targeted sectors such as shipping, logistics, and media for information gathering purposes. APT41 used previously-observed malware such as DUSTPAN as well as newly observed tools such as DUSTTRAP in APT41 DUST.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fa6f004e543e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Shodan
Shodan. (n.d.). Shodan. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1596.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.