收集受害者网络信息是指攻击者通过主动或被动手段获取目标组织网络架构、资产配置等关键情报的过程,这些信息为后续攻击链的展开提供基础支撑。传统技术包括主动扫描、公开数据库查询等,防御方通常通过监控异常API调用、分析数据请求模式等手段进行检测,但由于攻击行为常混杂在正常网络活动中,且可能利用第三方平台实施,导致防御存在高误报率和可见性盲区。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过合法协议封装与身份仿冒实现侦察行为伪装。例如将DNS查询参数编码为标准化请求、使用云服务官方SDK发起API调用,使恶意流量与正常业务流量在协议特征层面完全一致。这种深度协议合规性改造使得传统基于特征匹配的检测机制失效。
在云API查询和社交工程收集等场景中,攻击者利用HTTPS加密通道传输敏感数据,同时通过云服务日志存储、临时令牌授权等机制隐藏数据回传路径。加密通信与云平台固有数据处理流程的结合,使得关键侦察数据的传输过程完全隐匿于合法业务流中。
攻击者采用长周期分散策略实施情报收集,例如将目标网络测绘任务拆解为持续数月的DNS查询序列,或通过多平台API调用间隔获取信息片段。这种低频次、跨平台的侦察模式将攻击特征稀释在正常业务操作的时间流中,规避基于短期行为分析的检测模型。
| ID | Name | Description |
|---|---|---|
| G0125 | HAFNIUM |
HAFNIUM gathered the fully qualified domain names (FQDNs) for targeted Exchange servers in the victim's environment.[1] |
| G0119 | Indrik Spider |
Indrik Spider has downloaded tools, such as the Advanced Port Scanner utility and Lansweeper, to conduct internal reconnaissance of the victim network. Indrik Spider has also accessed the victim’s VMware VCenter, which had information about host configuration, clusters, etc.[2] |
| G1017 | Volt Typhoon |
Volt Typhoon has conducted extensive pre-compromise reconnaissance to learn about the target organization’s network.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.
Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.