Movatterモバイル変換

[0]ホーム
URL:

Currently viewingATT&CK v18.1 which is the current version of ATT&CK.Learn more about the versioning system orsee the live site.
  1. Home
  2. Techniques
  3. Enterprise
  4. Search Threat Vendor Data

Search Threat Vendor Data

Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.

Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.[1] Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.[2]

This technique is distinct fromThreat Intel Vendors in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.

ID: T1681
Sub-techniques:  No sub-techniques
Platforms: PRE
Version: 1.0
Created: 26 September 2025
Last Modified: 24 October 2025

Procedure Examples

IDNameDescription
G1052 Contagious Interview

Contagious Interview has registered accounts with Threat Intelligence vendor services to check for reporting associated with their infrastructure and to evaluate new potential infrastructure.[2]

G1048 UNC3886

UNC3886 has replaced indicators mentioned in open-source threat intelligence publications at times under a week after their release.[1]

Mitigations

IDMitigationDescription
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on designing defenses that are not reliant on atomic indicators.

Detection Strategy

IDNameAnalytic IDAnalytic Description
DET0866Detection of Search Threat Vendor DataAN1998

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

References

×
[8]ページ先頭
©2009-2026 Movatter.jp