Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1681: Search Threat Vendor Data

Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.

Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.[1] Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.[2]

This technique is distinct from Threat Intel Vendors in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.

EnterpriseT1681TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This technique matters because adversaries may read threat intelligence reporting about themselves and adjust before defenders can act. For leaders, the risk is not just that indicators become stale; it is that public or closed reporting can change attacker behavior, shorten the useful life of IOCs, and complicate incident response, takedown, and vulnerability-prioritization decisions.

Executive priority

Treat threat intelligence publication and consumption as an operational-risk issue. Ask whether the organization relies too heavily on atomic indicators such as hashes, IPs, or domains, and whether incident response plans account for adversaries changing infrastructure or behavior after reporting. This is especially relevant to pre-compromise readiness, disclosure planning, and evidence that security teams can move from published intelligence to durable detections quickly.

Technical view

T1681 is a PRE-platform reconnaissance technique. ATT&CK provides no official detection text, but a related detection strategy, DET0866, is identified. SOC, threat intelligence, and IR teams should validate whether they can recognize when exposed indicators are rapidly replaced, taken down, or otherwise changed after reporting. Detection engineering should prioritize behavior-based analytics and campaign context over simple IOC matching, while using vendor reporting timelines to understand when indicators may have become burned.

Likely telemetry

  • Threat intelligence platform access and search audit logs where available from providers
  • Records of published or shared indicators, reports, and disclosure timelines
  • DNS, domain registration, hosting, and infrastructure-change observations tied to known indicators
  • Internal IOC match history and alert timing before and after intelligence publication
  • Case-management notes linking intelligence ingestion to detection or response actions

Detection direction

  • Review DET0866 if available and map it to local threat intelligence workflows; ATT&CK does not provide detection details in the supplied object.
  • Measure how often IOC-only detections lose value after reports are published, and tune toward behaviors, infrastructure patterns, and campaign-level context.
  • Account for false positives: legitimate researchers, customers, vendors, and internal analysts may search threat intelligence data for the same terms.
  • Where using closed threat intelligence services, ask providers what audit logging, anomaly detection, and abuse-monitoring they support for suspicious searches.
  • During incidents, track whether adversary infrastructure or atomic indicators change shortly after reporting or coordinated disclosure.

Mitigation priorities

  • Apply pre-compromise controls consistent with M1056: reduce exposed information that helps adversaries prepare, and strengthen the organization’s ability to identify adversarial preparation activity.
  • Avoid over-reliance on public atomic indicators; convert intelligence into resilient detections and response playbooks quickly.
  • Coordinate external reporting, takedown activity, and incident response so disclosure does not unintentionally outpace defensive action.
  • Maintain vulnerability and exposure-management processes that can act on intelligence before adversaries adapt.
  • Use intelligence-sharing governance to balance community defense value with operational security for active investigations.
Analyst notes and limits

The supplied relationships associate this technique with UNC3886 and Contagious Interview, and the official references describe adversaries replacing indicators or searching for their own domains in threat vendor data. This supports treating threat intelligence handling, IOC freshness, and provider auditability as key defensive questions.

ATT&CK lists no official detection text for this object, and the platform is PRE, meaning much of the activity may occur outside enterprise-controlled telemetry. Local visibility depends heavily on threat intelligence providers, disclosure processes, and the organization’s ability to correlate reporting timelines with infrastructure changes.

Official MITRE ATT&CK definition

Search Threat Vendor Data

Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.

Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.[1] Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.[2]

This technique is distinct from Threat Intel Vendors in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Enterprise

G1048: UNC3886

UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]

Relationship explorer

All related ATT&CK context

uses · Group G1048: UNC3886 Enterprise uses · Group G1052: Contagious Interview Enterprise detects · Detection Strategy DET0866: Detection of Search Threat Vendor Data Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c55d8dba6549aee6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c55d8dba6549…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023

    Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.

    Open source URL
  2. [2]
    Sentinel One Contagious Interview ClickFix September 2025

    Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.

    Open source URL
  3. [3]
    mitre-attack T1681
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use