216.73.217.172

T1681: Search Threat Vendor Data

View on MITRE ATT&CK The MITRE Corporation · Published 26/09/2025 17:42 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1681
Confidence
100/100
Revoked
No
Published
26/09/2025 17:42
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Platforms

PRE

Description

Threat actors may seek information/indicators from closed or open threat intelligence sources gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. These reports may include descriptions of behavior, detailed breakdowns of attacks, atomic indicators such as malware hashes or IP addresses, timelines of a group’s activity, and more. Adversaries may change their behavior when planning their future operations. Adversaries have been observed replacing atomic indicators mentioned in blog posts in under a week.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023) Adversaries have also been seen searching for their own domain names in threat vendor data and then taking them down, likely to avoid seizure or further investigation.(Citation: Sentinel One Contagious Interview ClickFix September 2025) This technique is distinct from [Threat Intel Vendors](https://attack.mitre.org/techniques/T1597/001) in that it describes threat actors performing reconnaissance on their own activity, not in search of victim information.

Kill chain phases

Kill chainPhase
mitre-attack reconnaissance

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references