- Tactics
- Reconnaissance
- Platforms
- PRE
- Reference
- attack.mitre.org/techniques/T1681
Description
Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations.
Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023) Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.(Citation: Sentinel One Contagious Interview ClickFix September 2025)
This technique is distinct from Threat Intel Vendors in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Reconnaissance tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1589 — Gather Victim Identity Information
- T1590 — Gather Victim Network Information
- T1591 — Gather Victim Org Information
- T1592 — Gather Victim Host Information
- T1593 — Search Open Websites/Domains
- T1594 — Search Victim-Owned Websites
- T1595 — Active Scanning
- T1596 — Search Open Technical Databases
- T1597 — Search Closed Sources
- T1598 — Phishing for Information
- T1682 — Query Public AI Services