Reconnaissance -Gather Victim Information
Table of contents
- What is Gather Victim Information
- Gather Victim Host Information
- Gather Victim Identity Information
- Gather Victim Network Information
- Gather Victim Org Information
Reconnaissance π
Goal: The attacker gathers information about the target.
Techniques: Open-source intelligence (OSINT), network scanning, and social engineering.
What is Gather Victim Information
Gather Victim Information refers to the process where adversaries collect details about a target victimβwhether an individual, organization, or infrastructureβbefore launching an attack. This information helps adversaries tailor their tactics for further reconnaissance, exploitation, or social engineering.
Gather Victim Host Information
Adversaries may collect victim host information such as device names, assigned IPs, functionality, operating system, and language settings to aid in targeting. This information can be obtained through Active Scanning, Phishing, or by embedding malicious content in compromised websites.
Additionally, adversaries may extract host details from public data sources like social media and victim-owned websites. The gathered information can support further reconnaissance (e.g., searching open websites or technical databases), resource development, or initial access (e.g., supply chain compromise, exploiting remote services).
Adversaries may also analyze User-Agent HTTP headers to identify the victim's operating system, application, and version, allowing them to selectively deploy malware to specific targets.
User-Agent HTTP headers
ex) Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.177 Safari/537.36
How Attackers Utilize the User-Agent Header
β
Detect Operating System (OS) β Deliver malware that executes only on a specific OS
β
Identify Browser Information β Deploy exploits targeting vulnerable browser versions
β
Differentiate Mobile/Desktop β Serve different phishing pages based on the user's device
β
Bypass Bot Detection β Evade security solutions by masquerading as legitimate bots (e.g., Googlebot)
Gather Victim Identity Information
Adversaries may collect victim identity information such as employee names, email addresses, security question answers, credentials, and MFA configurations to aid in targeting.
This information can be obtained through Phishing for Information, Active Scanning (e.g., probing authentication services for valid usernames or MFA methods), or by analyzing public data sources like social media and victim-owned websites.
The collected identity information can support further reconnaissance (e.g., phishing, searching open websites/domains), resource development (e.g., account compromise), or initial access (e.g., phishing or using valid credentials).
Identity Information such as account credentials, external organization email addresses, and names
Methods of Collection: Internet searches, sending phishing messages, purchasing information from the dark web/Telegram, and malware-infected web browsers
Exploitation of APIs such as Microsoft Office 365's Autodiscover and GetCredentialType
1οΈβ£ Exploiting the Autodiscover API
π What is the Autodiscover API?
The Autodiscover service is responsible for automatically configuring email settings in Microsoft Exchange and Office 365 environments.
It is used by Outlook, mobile email clients, and other applications to automatically retrieve account settings.
π Exploitation Techniques:
β Valid Email Account Enumeration
Attackers can send Autodiscover requests to determine whether an email account exists.
If a valid email is entered, Autodiscover returns a valid response, while non-existent accounts return an error.
This method enables attackers to collect a large number of valid email accounts without brute force attacks.
β Authentication Method Detection (Basic Authentication vs. Modern Authentication)
Some Autodiscover responses may contain information about whether the account uses Basic Authentication or Modern Authentication.
If Basic Authentication is enabled, the account becomes more vulnerable to Password Spraying attacks.
2οΈβ£ Exploiting the GetCredentialType API
π What is the GetCredentialType API?
The GetCredentialType API is used by Microsoft during login attempts to determine the authentication type associated with a user account.
Attackers can abuse this API to check the authentication methods (e.g., whether MFA is enabled) for a given account.
π Exploitation Techniques:
β Checking MFA (Multi-Factor Authentication) Status
Attackers can send GetCredentialType API requests to determine whether an account has MFA enabled.
If MFA is not enabled, the account becomes significantly more vulnerable to Password Spraying or Credential Stuffing attacks.
β Determining OAuth Token vs. Basic Authentication Usage
API responses may indicate whether the account uses OAuth tokens or Basic Authentication.
If Basic Authentication is enabled, brute-force attacks become much more effective.
Gather Victim Network Information
Adversaries collect network details such as IP ranges, domain names, topology, and operational data to aid in targeting. This information can be obtained through Active Scanning, Phishing for Information, or public data sources (e.g., open technical databases).
The gathered data can be used for further reconnaissance, infrastructure compromise, or gaining initial access via trusted relationships.
Sub-techniques
(1) Domain Properties
Target-owned domains, domain data (name, registrar), name servers, etc.
(2) DNS
Registered domain name servers, subdomains, mail servers, and other host records.
(3)Network Trust Dependencies
Managed service providers, other service contractors, and third-party connections.
(4)Network Topology
Physical and logical structure, network devices (gateways, routers, switches), and related information.
(5) IP Addresses
In-use IP addresses indicating organization size and physical location.
(6) Network Security Appliances
Firewalls, proxies, and intrusion detection systems.
π How Attackers Exploit Network Trust Dependencies
1οΈβ£ Lateral Movement via Trusted Networks
Attackers exploit trust relationships between servers within the internal network to escalate privileges and move laterally.
Example: Abusing Active Directory (AD) Trusts or accessing the network via VPN tunnels.
2οΈβ£ Third-Party and Cloud Service Compromise
Supply Chain Attacks can lead to the compromise of trusted third-party services, putting the organization's network at risk.
Example: Compromising a Managed Service Provider (MSP) or hijacking cloud accounts.
3οΈβ£ Security Device Bypass
Attackers may gain access to the internal network through trusted security devices such as firewalls, IDS, or IPS.
Example: Exploiting a VPN gateway without MFA for Initial Access.
4οΈβ£ Exploiting SSO and Authentication Systems
Attackers bypass OAuth and SAML-based Single Sign-On (SSO) to access multiple systems.
Example: Token Hijacking or Session Hijacking to gain unauthorized access.
π Mitigation Strategies
β Implement Zero Trust Security β Never trust any connection by default; enforce continuous authentication.
β Strengthen Third-Party and Cloud Access Controls β Apply Least Privilege principles to minimize access risks.
β Network Segmentation β Minimize trust between internal networks to prevent lateral movement.
β Enhance Logging & Monitoring β Detect anomalous changes in trust relationships within networks and authentication systems.
Gather Victim Org Information
Sub-techniques
(1) Determine Physical Locations
Location of infrastructure and resources, responsible departments, and jurisdiction.
π How Attackers Use It:
β
Social Engineering Attacks β Impersonating specific departments to gain trust and access
β
Physical Intrusion β Identifying server rooms, data centers, or key infrastructure for direct attacks (e.g., USB Drop Attack)
β
Jurisdiction-Based Evasion β Understanding legal jurisdiction to avoid specific security regulations
(2) Business Relationships
Organizational information of managed service providers and other service contractors.
π How Attackers Use It:
β
Supply Chain Attacks β Compromising MSPs (Managed Service Providers) or external contractors to bypass defenses
β
Partner Impersonation Attacks β Conducting spear phishing by posing as a trusted third party
β
Exploiting B2B Service Vulnerabilities β Identifying external services used by the organization (e.g., cloud hosting, email providers) to establish an attack pathway
(3) Identify Business Tempo
Operating hours/days, hardware and software resource purchase, delivery, installation, and update schedules.
π How Attackers Use It:
β
Timing Exploits β Attacking right before system maintenance and updates (e.g., exploiting zero-day vulnerabilities before patches are applied)
β
Targeting Off-Hours β Infiltrating during weekends or night shifts when IT security teams are less active
β
Supply Chain Manipulation β Injecting malware into hardware or software supply chains based on procurement schedules
(4) Identify Roles
Identities within the target organization and access privileges assigned to each identity.
π How Attackers Use It:
β
Targeting Specific Employees β Focusing attacks on IT administrators, financial officers, and executives for privilege escalation
β Internal Privilege Theft β Compromising high-ranking or technical users to gain access to internal systems
β SSO & MFA Bypass β Exploiting accounts that lack multi-factor authentication (MFA) to gain entry