Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex:Email Addresses). These sites may also have details highlighting business operations and relationships.[1]
Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex:Phishing for Information orSearch Open Technical Databases), establishing operational resources (ex:Establish Accounts orCompromise Accounts), and/or initial access (ex:Trusted Relationship orPhishing).
In addition to manually browsing the website, adversaries may attempt to identify hidden directories or files that could contain additional sensitive information or vulnerable functionality. They may do this through automated activities such asWordlist Scanning, as well as by leveraging files such as sitemap.xml and robots.txt.[2][3]
| ID | Name | Description |
|---|---|---|
| C0040 | APT41 DUST | APT41 DUST involved access of external victim websites for target development.[4] |
| C0029 | Cutting Edge | DuringCutting Edge, threat actors peformed reconnaissance of victims' internal websites via proxied connections.[5] |
| G1011 | EXOTIC LILY | EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.[6] |
| G0094 | Kimsuky | Kimsuky has searched for information on the target company's website.[7] |
| C0049 | Leviathan Australian Intrusions | Leviathan enumerated compromised web application resources to identify additional endpoints and resources linkd to the website for follow-on access duringLeviathan Australian Intrusions.[8] |
| G0034 | Sandworm Team | Sandworm Team has conducted research against potential victim websites as part of its operational planning.[9] |
| G0122 | Silent Librarian | Silent Librarian has searched victim's websites to identify the interests and academic areas of targeted individuals and to scrape source code, branding, and organizational contact information for phishing pages.[10][11][12] |
| G1038 | TA578 | TA578 has filled out contact forms on victims' websites to direct them to adversary-controlled URLs.[13] |
| G1017 | Volt Typhoon | Volt Typhoon has conducted pre-compromise reconnaissance on victim-owned sites.[14] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0810 | Detection of Search Victim-Owned Websites | AN1942 | Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. |