title: CDNs (T1596.004)
id: df00tech-t1596-004
status: experimental
description: "Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor's geographical region. Adversaries may search CDN data to gather actionable information including origin server infrastructure, exposed backend IPs, misconfigured storage buckets hosting sensitive content not covered by the same authentication controls as the primary website, and path structures revealing internal architecture. Information from CDN reconnaissance may reveal opportunities for active scanning, infrastructure compromise, or drive-by attacks targeting CDN-served content."
references:
  - https://attack.mitre.org/techniques/T1596/004/
  - https://df00tech.com/detections/T1596.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1596.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate web crawlers and SEO bots (Googlebot, Bingbot, Ahrefs) generating high 404 rates on CDN endpoints while discovering site structure"
  - Internal security scanning tools and vulnerability assessments authorized by the security team performing CDN configuration reviews
  - Load testing and performance testing platforms hitting CDN endpoints with synthetic traffic that generates 404s for non-existent test paths
  - "Application monitoring agents (Pingdom, Datadog Synthetics, New Relic) probing CDN health check endpoints that return 404"
  - CI/CD deployment pipelines enumerating Azure Blob Storage containers to verify asset deployment or perform cleanup tasks
level: medium