TA0043 · ATT&CK Tactic
Reconnaissance
Gather target information before any active engagement. Passive recon leaves zero footprint on the target's infrastructure — and the blue team has almost no visibility until you act on what you find.
T1596.002DNS / Passive Recon
Query public DNS records and certificate transparency logs to enumerate subdomains and infrastructure without touching the target. Completely passive — leaves zero logs on the target's systems.
Attack SimulationStep 1 / 2
# Select target domain to enumerate
Which target?
Detection Note — Blind Spot
Detection AnalysisBLIND SPOT
"technique": "T1596.002 Passive DNS", "logs_on_target": false, "detection_vector": "Certificate Transparency monitoring only", "siem_alert": "N/A — no log source", "recommendation": "Subscribe to crt.sh alerts for your domains", "downstream_risk": "Subsequent active scanning will be logged"
T1589.002Email Address Harvesting
Collect employee email addresses from LinkedIn, breach dumps, and search engine dorking. Email lists feed directly into phishing campaigns and password sprays — theHarvester aggregates multiple OSINT sources.
Attack SimulationReady
# theHarvester — aggregate OSINT email sources
attacker@kali:~/tools$
$
Detection Note — Low Signal
Detection AnalysisLOW SIGNAL
"technique": "T1589.002 Email Harvesting", "direct_logs": false, "email_in_breach_db": true, "breach_monitor": "HaveIBeenPwned enterprise API", "linkedin_enumeration": "OSINT — no direct detection", "downstream_use": "Password spray (T1110.003) — high SIEM signal"