title: Scan Databases (T1596.005)
id: df00tech-t1596-005
status: experimental
description: "Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and server banners. Services such as Shodan, Censys, FOFA, ZoomEye, BinaryEdge, and GreyNoise index the public internet and make this data queryable. Adversaries may use these resources to identify exposed services, vulnerable software versions, SSL/TLS certificate metadata, and network topology without ever sending a packet to the victim. APT41 has used the Chinese FOFA service for passive victim reconnaissance, and Volt Typhoon has used FOFA, Shodan, and Censys to identify exposed critical infrastructure. Because this technique occurs entirely outside the victim's network perimeter using third-party infrastructure, it generates no direct telemetry in victim SIEM or EDR systems. Detection must focus on: (1) endpoint detection of scan database CLI tools and Python API libraries executing on monitored hosts, (2) proxy/DNS telemetry showing internal hosts querying scan database APIs, and (3) downstream indicators — sudden scanning or exploitation attempts against assets discoverable in these databases."
references:
  - https://attack.mitre.org/techniques/T1596/005/
  - https://df00tech.com/detections/T1596.005
author: df00tech
date: 2026/03/13
tags:
  - attack.t1596.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Authorized security team members or red teamers using Shodan/Censys to assess the organization's own external attack surface"
  - Threat intelligence analysts querying scan databases as part of CTI enrichment workflows or SOC investigation processes
  - "Security tools and SOAR platforms (Cortex XSOAR, Splunk SOAR, Microsoft Sentinel playbooks) that integrate Shodan or Censys APIs for automated alert enrichment"
  - Developer and DevOps engineers using the Shodan or Censys CLI during penetration testing engagements with proper authorization
  - Bug bounty hunters or security researchers operating from organization-issued devices with permission to perform reconnaissance
level: medium