The adversary is trying to gather information they can use to plan future operations.
Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim infrastructure and machine identities, such as private keys, code signing certificates and more.
This type of information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.
|VT0006||Active Scanning||Before compromising a victim, adversaries may execute active Reconnaissance scans to gather information that can be used during targeting. Active scans are those where adversaries probe victim infrastructure via network traffic.|
|.001||Scanning IP Blocks||Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.|
|.002||Vulnerability Scanning||Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) are potentially vulnerable and can be potentially exploited by the adversary.|
Created: 26 November 2020
Last Modified: 20 December 2020