T1597.002: Purchase Technical Data
Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).
Analyst context for executives and security teams
Purchase Technical Data matters because attackers can buy information that shortens the path from target selection to intrusion planning. Even before touching your systems, an adversary may obtain employee contacts, exposed credentials, or infrastructure details from paid databases, data aggregation services, or criminal markets. For leaders, the issue is not only “dark web monitoring”; it is whether the organization understands what technical data about it is commercially or illicitly available and how that data could enable phishing, external remote service access, or valid account abuse.
Executive priority
Treat this as a pre-compromise risk-management issue. Ask whether security, identity, vulnerability management, and incident response teams have evidence of what credentials, employee data, and infrastructure details are exposed outside the enterprise boundary. Prioritize controls that reduce useful external information, validate exposed services and accounts, and produce audit-ready evidence that reconnaissance and pre-compromise exposure are being monitored. The ATT&CK relationship to LAPSUS$ indicates this behavior is associated with at least one named threat group, but it should be handled as a general reconnaissance risk rather than an attribution conclusion.
Technical view
This is an enterprise ATT&CK reconnaissance sub-technique on the PRE platform under Search Closed Sources. Because MITRE provides no official detection text, SOC and detection engineering should validate coverage through external exposure intelligence rather than endpoint-only telemetry. Focus analysis on purchased or aggregated data types referenced by ATT&CK: employee contact information, credentials, and victim infrastructure specifics. Use the relationship to DET0880 as a detection-strategy pointer, and connect findings to likely follow-on risks named in the ATT&CK description, including phishing for information, open-source domain searching, capability development or acquisition, external remote services, and valid accounts.
Likely telemetry
- External attack surface and internet-exposure inventory data
- Credential exposure and breached-credential monitoring results
- Dark web or cybercrime marketplace intelligence where legally and contractually available
- Commercial technical/threat intelligence or scan-database feeds used by defenders
- Employee contact and domain exposure monitoring
Detection direction
- Do not rely on internal host telemetry alone; this behavior often occurs before interaction with the victim environment.
- Validate that DET0880 or equivalent processes identify purchased, aggregated, or leaked technical data relevant to the organization.
- Correlate exposed credentials or employee contact data with identity telemetry, especially failed logins, anomalous authentication, and use of external remote services.
- Tune findings to separate generic internet exposure from organization-specific, actionable technical data that could support targeting.
- Use relationship context to watch for follow-on behaviors named by ATT&CK, especially phishing for information, external remote services, and valid accounts.
Mitigation priorities
- Apply M1056 Pre-compromise principles: reduce attack surface, limit useful externally available information, and identify adversarial preparation efforts early.
- Maintain an accurate external-facing asset and service inventory so purchased scan or infrastructure data is less likely to reveal unmanaged exposure.
- Prioritize remediation of exposed credentials and externally reachable services that could support valid account or external remote service access.
- Coordinate identity, vulnerability management, and threat intelligence workflows so exposure findings become tracked remediation items, not isolated intelligence notes.
- Use tabletop or incident response planning to define who acts when purchased or leaked technical data about the organization is found.
Analyst notes and limits
The supplied ATT&CK object frames this as reconnaissance through closed or paid sources, including reputable commercial databases and less-reputable criminal marketplaces. The key defensive value is converting outside-the-boundary exposure into identity, vulnerability, and incident-response decisions. The LAPSUS$ relationship is useful for threat context but is not evidence that any specific organization is being targeted.
MITRE provides no official detection guidance for this object, and the PRE platform means much of the activity may occur outside owned logging environments. The mitigation relationship is high-level, and local data sources, legal constraints, provider coverage, and exposure-management maturity will determine practical visibility. No active exploitation, customer exposure, or guaranteed detection can be inferred from the supplied fields.
Purchase Technical Data
Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1597 | Search Closed Sources | This object subtechnique of Search Closed Sources. |
Groups, software, and campaigns
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 946e327a0264… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ZDNET Selling Data
Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1597.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.