T1594 Search Victim-Owned Websites
Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: Email Addresses). These sites may also have details highlighting business operations and relationships.1
Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Technical Databases), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Trusted Relationship or Phishing).
| Item | Value |
|---|---|
| ID | T1594 |
| Sub-techniques | |
| Tactics | TA0043 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 02 October 2020 |
| Last Modified | 15 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1011 | EXOTIC LILY | EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.7 |
| G0094 | Kimsuky | Kimsuky has searched for information on the target company’s website.2 |
| G0034 | Sandworm Team | Sandworm Team has conducted research against potential victim websites as part of its operational planning.6 |
| G0122 | Silent Librarian | Silent Librarian has searched victim’s websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.345 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
References
-
Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. ↩
-
Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021. ↩
-
Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩