Search open technical databases (T1596)

Q: How do attackers use Shodan and Censys for reconnaissance?

Attackers query Shodan or Censys using a target organization's IP ranges, ASN, or domain name to retrieve a complete inventory of internet-facing services — every open port, service banner, TLS certificate, and HTTP response header — without sending a single packet to the target. They then cross-reference identified service versions against the CVE database and public exploit repositories to instantly build a prioritized exploitation target list. Shodan Monitor can also alert adversaries in real time when new services appear on tracked IP ranges, enabling them to identify newly exposed services before defenders notice. Censys provides more granular certificate and TLS configuration analysis, useful for identifying expired certificates and weak cryptographic configurations.

Q: How does Log360 detect search open technical databases (T1596) when the collection phase is invisible?

T1596 reconnaissance generates zero target-side log events at collection time, so direct SIEM detection of the collection phase is not possible. Log360's detection value comes entirely from the downstream phase: when adversaries act on intelligence gathered from open databases, the resulting exploitation attempts arrive as IPS events on perimeter devices. Log360 correlates IPS events from Cisco FTD (Cisco FTD Intrusion Event Detected), Fortinet FortiGate (Generic Attacks Detection, Fortinet Appliance Auth Bypass), and SonicWall. CVE-specific endpoint rules for commonly Shodan-catalogued technologies — Confluence (CVE-2023-22518), MOVEit Transfer (CVE-2023-34362), and Fortinet appliances — detect targeted exploitation of vulnerabilities identified through scan database cataloguing. Web application attack rules detect post-exploitation activity against subdomains identified via certificate transparency log enumeration.

Q: What is the role of certificate transparency logs in search open technical databases (T1596) reconnaissance?

Certificate transparency (CT) logs are publicly auditable records of every SSL/TLS certificate ever issued. Adversaries query CT log databases such as crt.sh using wildcard domain searches to enumerate every subdomain for which a certificate has been issued — including internal-use subdomains, staging environments, developer panels, and partner portals that are not publicly linked but are certificate-issued and potentially accessible. These shadow subdomains are frequently running outdated software and have weaker access controls than primary production infrastructure, making them attractive secondary targets. This is T1596.003 in the MITRE ATT&CK sub-technique taxonomy. Log360 detects exploitation of CT-log-identified subdomains through web server process anomaly rules (Suspicious Process By Web Server Process, Webshell Hacking Activity Patterns) when they run Windows-based web services.

Q: How should organizations reduce exposure to search open technical databases (T1596) reconnaissance?

The most effective T1596 countermeasure is converting the attacker advantage into a defensive one by proactively monitoring your own open database profile. Query Shodan and Censys for your organization's IP ranges and ASN to see exactly what adversaries see. Remove any services from internet exposure that do not need to be publicly accessible — management interfaces, admin panels, RDP, SSH, and developer tools are commonly over-exposed. Patch all internet-facing services running CVE-vulnerable versions immediately, as Shodan-catalogued vulnerable services have extremely short exploitation windows after CVE disclosure. Query crt.sh for your domains to retrieve the full CT log certificate history and audit every subdomain for security posture, decommissioning or hardening legacy and staging subdomains. Configure Shodan Monitor alerting for your IP ranges so that newly exposed services trigger an immediate security response before adversaries discover them.

How adversaries use Shodan, Censys, WHOIS, and certificate transparency logs to identify exploitable services, and how Log360 detects the downstream exploitation.

Apr 16, 2026 ManageEngine Security Team

Download a 30-day, free trial

What is search open technical databases (T1596)?

Search open technical databases (T1596) is a MITRE ATT&CK® reconnaissance technique in which adversaries query publicly accessible technical databases to gather detailed information about a target organization's internet-facing infrastructure without interacting with the target directly. Unlike active scanning (T1595) where the attacker probes infrastructure and generates detectable traffic, T1596 exploits the fact that third-party services continuously index the internet and make the results searchable to anyone.

The intelligence gathered through T1596 is operationally equivalent to conducting a comprehensive external network scan, but without generating any log entries on target systems, without exposing attacker IP addresses to target perimeter devices, and without triggering any IDS/IPS signatures. This is why T1596 is strategically preferred by advanced persistent threat actors who prioritize operational security.

T1596 in the ATT&CK chain: T1596 is part of Reconnaissance (TA0043). Intelligence gathered from open technical databases directly shapes initial access technique selection, particularly exploit public-facing application (T1190) where Shodan-identified unpatched services become exploitation targets. Log360 detects T1596 indirectly through the exploitation attempts and IPS events that follow when attackers act on intelligence gathered from open technical databases.

How attackers use open technical databases

Open technical database reconnaissance follows a structured workflow that produces a complete target profile without generating a single event in the target's security stack:

Attack surface enumeration via Shodan/Censys: Adversaries begin by querying Shodan or Censys for the target organization's IP ranges, ASN, or domain name. These queries return a complete inventory of internet-facing services (every open port, every service banner, every TLS certificate, and every HTTP response header) without the attacker sending a single packet to the target. For organizations with large internet footprints, this can reveal dozens of exposed services that security teams may not be fully aware of.
Vulnerability identification from catalogued service versions: Shodan and Censys capture service banner information including software version strings. Adversaries cross-reference identified service versions against the CVE database and public exploit repositories (Exploit-DB, GitHub PoC repositories) to instantly identify which exposed services are running vulnerable versions. This transforms raw infrastructure data into a prioritized exploitation target list without any active probing. Enriching these findings with threat intelligence further accelerates attacker prioritization.
Subdomain enumeration via certificate transparency: Certificate transparency (CT) logs, publicly auditable records of all issued SSL/TLS certificates, are queried via services like crt.sh, Facebook CT, and Google Transparency Report. CT logs reveal every subdomain for which a certificate has ever been issued, including internal-use subdomains, staging environments, developer panels, and partner portals that may not appear in public DNS. These shadow subdomains are often inadequately hardened and represent attractive secondary targets.
Historical infrastructure mapping via passive DNS: Passive DNS databases record historical DNS resolution data, allowing adversaries to see IP addresses that a domain previously resolved to. This reveals changes in hosting infrastructure, formerly external-facing services that were moved internal, and IP address blocks associated with the organization's historical infrastructure that may still be accessible. Passive DNS reconnaissance also identifies CDN and DDoS mitigation services in use, which can reveal the true origin IP behind services protected by Cloudflare or Akamai.
Ownership and contact data via WHOIS: WHOIS queries against domain registration records and IP ARIN/RIPE/APNIC registries reveal registrant contact details, organization names, administrative contacts, and corporate email patterns. WHOIS data correlates with T1589 identity reconnaissance by confirming organizational identity and providing contact information for phishing attack pretexts.

Public databases used in T1596 reconnaissance

The following open technical databases provide adversaries with pre-built intelligence about internet-facing infrastructure:

Shodan: The most widely used internet device search engine. Continuously scans all internet-facing IPs, cataloguing open ports, service banners, TLS certificate data, and HTTP headers. Supports targeted organizational queries and vulnerability filter searches (e.g., all hosts vulnerable to Heartbleed in a specific IP range). Shodan Monitor provides real-time alerting when new services appear on tracked IP ranges, a capability adversaries use to identify newly exposed services before defenders notice.
Censys: Academic-origin internet scanning platform with more granular certificate and TLS configuration analysis than Shodan. Particularly useful for certificate enumeration, expired certificate identification, and weak cryptographic configuration discovery. Censys data feeds are used by cyber threat intelligence platforms and bug bounty hunters; the same data is equally accessible to adversaries.
crt.sh: Certificate transparency log database provided by Comodo/Sectigo. Supports wildcard domain searches that return every SSL/TLS certificate ever issued for a domain, including subdomains. Used to enumerate subdomains and identify internal certificate subjects that reveal infrastructure the organization did not intend to publicize.
VirusTotal / URLScan: Security analysis platforms that also serve as passive infrastructure reconnaissance sources: historical scans of organizational domains reveal subdomains, related infrastructure, and historically observed IP resolutions without active probing. URLScan's public scan records often capture internal redirect chains and API endpoints from externally visible website scanning.

Sub-techniques

MITRE ATT&CK documents five T1596 sub-techniques representing distinct open database categories:

T1596.001 — DNS/Passive DNS: Querying passive DNS databases to retrieve historical domain-to-IP mappings, revealing changes in hosting infrastructure, formerly public services, and IP ranges associated with the organization. Passive DNS data is particularly useful for identifying real origin IPs behind CDN services and historically exposed internal addresses.
T1596.002 — WHOIS: Querying WHOIS registries for domain registration records and IP ownership data. Returns organizational identity, administrative contacts, registration dates, name server configurations, and registrar details. WHOIS data correlates network infrastructure to organizational identity and provides contact details usable in social engineering operations.
T1596.003 — Digital Certificates: Querying certificate transparency logs to enumerate SSL/TLS certificates issued for target domains and subdomains. Reveals the full scope of the organization's certificate-protected infrastructure, including staging environments, developer portals, and internal services that appear in CT logs despite not being publicly linked.
T1596.004 — CDNs: Identifying content delivery network configurations to determine the real origin infrastructure behind CDN-protected services, understand caching and routing configurations, and map partner and vendor relationships visible in CDN configuration records. CDN reconnaissance can reveal organization-to-CDN IP mappings that bypass DDoS protection and content-based access controls.
T1596.005 — Scan Databases: Querying Shodan, Censys, and equivalent internet scan databases for pre-collected information about target IP ranges and services. This is the most operationally impactful sub-technique because it provides service-version intelligence enabling immediate CVE-to-target matching without requiring active scanning activity.

Detection approach

T1596 reconnaissance occurs entirely on third-party database platforms and generates zero events in the target organization's security monitoring stack at collection time. Detection requires monitoring the downstream consequences: the exploitation attempts, authentication probes, and targeted attacks that follow when adversaries act on their T1596-gathered intelligence:

IPS event correlation for Shodan-catalogued service exploitation

When adversaries use T1596 Shodan reconnaissance to identify vulnerable services, the follow-on exploitation attempt against those services will generate IPS events on perimeter devices. Log360 collects and correlates IPS events from Cisco FTD, Fortinet FortiGate, and SonicWall, using rules like Cisco FTD Intrusion Event Detected, Generic Attacks Detection (Fortinet), and Fortinet Appliance Auth bypass to detect exploitation activity targeting specifically those service types that Shodan databases prominently catalogue: web applications, VPN endpoints, network appliances, and exposed admin interfaces.

CVE exploitation signature matching

T1596.005 reconnaissance against Shodan provides adversaries with specific service versions to exploit. When a new CVE is published for a catalogued service version, exploit attempts against targets running that version typically begin within hours to days. Log360's CVE-specific detection rules (for example, CVE-2023-22518 Exploitation Attempt - Confluence and Potential MOVEit Transfer CVE-2023-34362) detect these targeted exploitation attempts at the Windows endpoint or perimeter device level, capturing the operationalization of intelligence gathered from Shodan vulnerability cataloguing.

Certificate transparency-identified subdomain targeting

Subdomains enumerated through T1596.003 certificate transparency reconnaissance are commonly targeted for authentication attacks and web application exploitation. Log360's web server process anomaly rules (Suspicious Process By Web Server Process, Webshell Hacking Activity Patterns) detect exploitation of these secondary subdomains if they run Windows-based web services. For network-layer detection, perimeter device IPS events covering web application attacks provide coverage for CT log-identified subdomains accessible through the perimeter.

New service exposure monitoring

Shodan continuously re-scans internet-facing infrastructure and updates its catalogue. Organizations can reduce T1596 operational impact by monitoring their own profile in open databases, identifying newly exposed services as soon as they appear in Shodan or Censys catalogs, before adversaries discover them. While this is not a Log360 detection capability, it complements Log360's downstream event detection with proactive exposure management.

Detection coverage note: T1596 is a passive pre-intrusion technique that generates no target-side log events at collection time; there is nothing in your log infrastructure to detect Shodan queries against your network. Log360's detection value for T1596 comes entirely from downstream impact: IPS events from Cisco FTD, Fortinet, and SonicWall fire when exploitation attempts target the services T1596 reconnaissance identified, and CVE-specific endpoint rules detect exploitation of vulnerabilities catalogued in scan databases. Organizations should combine Log360's downstream detection with proactive external exposure monitoring (Shodan Monitor, Censys alerting) and threat hunting practices to close the gap between collection and exploitation. See the Log360 detection rules library for the complete CVE and IPS rule coverage.

Log360 detection capabilities

Log360 detects T1596 downstream exploitation activity through IPS event correlation, CVE-specific exploitation rules, and web application attack detection:

Detection capability	Platform	What it detects
Cisco FTD Intrusion Event Detected	Cisco FTD/FMC	Fires on IPS signature matches for CVE-specific probes and generic exploit traffic targeting perimeter services catalogued in Shodan and Censys. Primary detection layer for T1596-driven exploitation of internet-facing services.
Generic Attacks Detection	Fortinet FortiGate	Fortinet IPS signature matches for network and application-layer exploit attempts against perimeter services. Covers exploitation of services identified through T1596 open database reconnaissance on FortiGate-protected edges.
Fortinet Appliance Auth bypass	Fortinet	Detects auth bypass exploit attempts against Fortinet appliances. Shodan commonly surfaces exposed Fortinet management interfaces, making them frequent targets after T1596 reconnaissance.
CVE-2023-22518 Exploitation Attempt: Confluence	Windows	Detects exploitation attempts against Confluence servers vulnerable to CVE-2023-22518. Triggers when attackers act on T1596 intelligence identifying vulnerable Confluence versions catalogued in Shodan.
Potential MOVEit Transfer CVE-2023-34362	Windows	Detects exploitation probes targeting the MOVEit Transfer SQL injection vulnerability. MOVEit instances were broadly catalogued in Shodan before mass exploitation; fires when identified instances are actively targeted.
Webshell Hacking Activity Patterns	Windows	Detects web server process anomalies indicating webshell deployment. CT log enumeration (T1596.003) surfaces under-hardened subdomains and staging servers; fires on post-exploitation activity against these identified targets.
Repeated SQL injection attempts	Miscellaneous	Detects high-volume SQL injection probe sequences against web applications. A common exploitation follow-on after T1596 identifies database-connected applications via Shodan or Censys.
SQL Injection Detection	Fortinet FortiGate	Fortinet WAF/IPS signature detection for SQL injection attempts. Provides network-layer coverage for web applications identified through open technical database reconnaissance and targeted for database access.

Investigation steps

When Log360's IPS or CVE detection rules fire on events that may represent T1596-driven targeted exploitation, the investigation should establish whether the attacker had specific prior intelligence about the target service and assess the exploitation success:

Determine if the targeted service is catalogued in open databases: As part of the threat investigation, query Shodan and Censys for the targeted service's IP and port to understand what pre-built intelligence an attacker would have had. If the service appears in Shodan with the exact version that the exploit targets, this confirms T1596 reconnaissance is the likely intelligence source. The attacker did not need to scan to know this service was exploitable.
Characterize the attack specificity: Examine the IPS event signatures that fired. Generic port sweep signatures indicate opportunistic scanning (T1595). CVE-specific probe signatures, versioned exploit payloads, or application-specific attack patterns indicate targeted exploitation of a known vulnerable version, consistent with T1596 pre-reconnaissance that identified the specific version before the exploit attempt. Use anomaly detection baselines to distinguish targeted from opportunistic patterns.
Check for pre-attack reconnaissance correlation: Review perimeter device logs for activity from the same source IP in the 24-48 hours preceding the exploit attempt. T1595 active scanning from the same source before exploitation indicates a combined reconnaissance-then-exploitation workflow. An exploit attempt with no preceding active scanning from the same source suggests T1596 passive database reconnaissance was used instead to avoid generating pre-attack detection events.
Assess the blast radius of certificate transparency-identified targets: If the targeting involves subdomains identified through CT log enumeration (rather than primary production hosts), audit the security posture of all organization subdomains visible in CT logs. Staging environments, developer tools, and legacy subdomains found in CT logs are frequently running outdated software versions and may have weaker access controls than primary production infrastructure.
Review for multi-service exploitation patterns: T1596 reconnaissance against Shodan produces a prioritized list of multiple exploitable services, not just one target. After detecting exploitation of one service, review IPS logs for concurrent or recent exploitation attempts against other perimeter services; a multi-service exploitation sequence indicates a deliberate attack campaign using a complete T1596-derived target list rather than opportunistic single-service probing. Subsequent stages often involve lateral movement once initial access is achieved.

Response playbook

Immediately audit your Shodan/Censys exposure profile: Query Shodan (shodan.io) and Censys for your organization's IP ranges, ASN, and domain. The results represent exactly what attackers see when researching your infrastructure. Identify any services that should not be internet-facing, any services running known-vulnerable versions, and any unexpected exposures that IT/security teams were not aware of. This converts T1596 intelligence from an attacker advantage to a defensive advantage.
Patch or remediate all Shodan-visible vulnerable services immediately: Services running CVE-vulnerable versions that are catalogued in open databases have an extremely short exploitation window after CVE disclosure. Prioritize patching for all internet-exposed services identified in your Shodan/Censys profile over internal services, as external exposure combined with version cataloguing creates an immediate exploitation opportunity for T1596-savvy adversaries.
Remove unnecessary internet-facing services: Any service that appears in your Shodan profile but does not need to be internet-accessible should be immediately moved behind a VPN, zero-trust access proxy, or firewall allowlist. Management interfaces (admin panels, SSH, RDP, database ports), monitoring tools, and developer services are commonly inadvertently exposed and appear prominently in Shodan results for targeted organizations.
Audit certificate transparency exposure: Query crt.sh for your organization's domains to retrieve the complete list of SSL/TLS certificates and the subdomains they were issued for. Audit each subdomain for security posture, particularly legacy subdomains, staging environments, and partner portals. Decommission or harden subdomains that should no longer be publicly accessible but remain resolvable and certificate-issued.
Implement Shodan Monitor alerting: Configure Shodan Monitor (or equivalent) for your organization's IP ranges to receive real-time notifications when new services appear in the Shodan catalog. A new exposed service should trigger the same security response as a CVE alert, immediate assessment and remediation before adversaries discover it in T1596 reconnaissance queries.
Strengthen IPS sensitivity for catalogued service types: After confirming that targeted services appear in open databases, increase IPS sensitivity levels in Log360 for the relevant Cisco, Fortinet, or SonicWall rule categories covering those service types. Accepting higher false positive rates for the specific attack patterns against your most Shodan-exposed services is justified by the elevated targeting risk those services represent. Review published detection rules to ensure your rule set reflects the latest CVE-targeted attack patterns.

ManageEngine Log360 for T1596 detection

Log360 detects T1596 search open technical databases downstream activity through IPS event correlation from Cisco FTD, Fortinet FortiGate, and SonicWall perimeter devices, and through CVE-specific exploitation rules for commonly Shodan-catalogued technologies including Confluence, MOVEit Transfer, Fortinet appliances, and web applications. While the passive collection phase generates no target-side events, Log360 closes the detection gap by correlating the exploitation attempts that follow when adversaries convert open database intelligence into targeted attacks on identified vulnerable services. For automated response workflows, Log360's SOAR capabilities can trigger containment actions when exploitation is confirmed.

Download free trial Schedule a demo

Need to explore ManageEngine Log360? Schedule a personalized demo

Frequently asked questions

What is search open technical databases (T1596) in MITRE ATT&CK?

Search open technical databases (T1596) is a MITRE ATT&CK reconnaissance technique where adversaries query publicly available technical databases (Shodan, Censys, WHOIS, passive DNS, and certificate transparency logs) to map target infrastructure and identify exploitable services without directly probing the target. Because collection happens on third-party platforms, Log360 detects T1596 indirectly through the downstream exploitation attempts against services the adversary identified through these databases.

How do attackers use Shodan and Censys for reconnaissance?

Shodan and Censys provide pre-built inventories of internet-connected services with port, banner, and version data. Adversaries query these platforms using organization names, ASNs, or IP ranges to instantly retrieve a target's exposed services without active scanning. They cross-reference service version data with CVE databases to identify exploitable systems. Because the queries target Shodan/Censys servers, not the victim's infrastructure, no target-side events are generated. Log360 detects the subsequent exploitation via IPS events from Cisco FTD, Fortinet, and SonicWall integrations. See incident detection and response for how Log360 handles the post-exploitation phase.

How does Log360 detect search open technical databases (T1596) when the collection phase is invisible?

Log360 detects T1596 through downstream exploitation events: IPS signatures matching CVE-specific exploit patterns (Cisco FTD Intrusion Event Detected, Generic Attacks Detection for Fortinet), CVE-specific endpoint rules for commonly Shodan-catalogued vulnerabilities (Confluence, MOVEit, Fortinet appliances), and web application attack patterns against CT-log-identified subdomains. The investigation trigger is exploitation specificity: CVE-targeted attacks against exact vulnerable versions without prior active scanning indicate pre-knowledge from T1596 database reconnaissance.

What is the role of certificate transparency logs in search open technical databases (T1596) reconnaissance?

Certificate transparency (CT) logs publicly record every SSL/TLS certificate issued for an organization's domains, including subdomains for staging environments, developer portals, and internal tools that were not intended for public enumeration. Adversaries query crt.sh and similar CT databases to enumerate the complete subdomain inventory for a target domain. These less-hardened subdomains become secondary attack targets. Log360's webshell detection and web server anomaly rules cover exploitation of these CT-identified targets if they run Windows-based web services.

How should organizations reduce exposure to search open technical databases (T1596) reconnaissance?

Effective T1596 exposure reduction requires proactive external attack surface management. Quarterly queries of Shodan Monitor, Censys alerting, and crt.sh for your organization's IP ranges and domains reveal what adversaries see. Move all management interfaces behind VPN or zero-trust access controls, patch all services visible in Shodan with known CVEs, and audit CT-log-visible subdomains for security posture. Combined with Log360's downstream detection of exploitation attempts following search open technical databases (T1596) reconnaissance, this creates both a proactive exposure reduction program and a reactive alert capability.

On this page