# Reconhecimento ```mermaid graph TB A["🔭 Reconhecimento (TA0043)<br/>Coleta pre-ataque"] --> B["👤 Informacoes de Vitimas<br/>T1589/T1590/T1591/T1592"] A --> C["🌐 Pesquisa em Sites Abertos<br/>T1593 - Redes sociais/web"] A --> D["🔍 Varredura Ativa<br/>T1595 - Scan de IPs/portas"] A --> E["📚 Bancos de Dados Tecnicos<br/>T1596 - WHOIS/certs/DNS"] A --> F["📧 Phishing de Informacoes<br/>T1598 - Recon via engenharia"] A --> G["🔒 Fontes Fechadas<br/>T1597 - Dark web/intel paga"] B --> H["🎯 Perfil completo do alvo"] ``` > [!info] Visão Geral > O Reconhecimento e a primeira tática do ciclo de ataque MITRE ATT&CK, englobando todas as técnicas de coleta de informações que um adversario executa antes de iniciar operações ativas. Esta fase pode durar semanas ou meses e e frequentemente conduzida de forma passiva para evitar detecção. > **Técnicas:** 45 técnicas nesta categoria, organizadas em coleta ativa e passiva de informações sobre identidades, redes, hosts e organizações. > **Destaque LATAM:** Varredura de portas e fingerprinting de servicos expostos (**T1595**) sao amplamente utilizados contra infraestrutura brasileira, aproveitando a grande superficie de ataque de sistemas legados expostos na internet. > [!warning] Contexto Brasil/LATAM > O Brasil e um alvo frequente de reconhecimento ativo devido a grande exposição de servicos na internet - milhares de sistemas de controle industrial, paineis administrativos e VPNs desprotegidas sao indexados regularmente por ferramentas como Shodan. Grupos como **Blind Eagle (APT-C-36)** realizam reconhecimento sistematico de alvos em setores governamental e financeiro no Brasil e Colombia. Pesquisa em redes sociais (**T1593.001**) e muito utilizada para mapear funcionarios de empresas brasileiras via LinkedIn, com foco em times de TI e financeiro para campanhas de spear-phishing direcionado. > **45 técnicas** · Coleta de informações sobre o alvo antes do ataque - varredura de IPs, pesquisa de funcionários, fingerprinting de serviços. %% ```dataview TABLE WITHOUT ID link(file.link, title) AS "Nome" FROM "ttp/techniques/reconnaissance" WHERE type = "technique" SORT title ASC ``` %% <!-- QueryToSerialize: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/reconnaissance" WHERE type = "technique" SORT title ASC --> <!-- SerializedQuery: TABLE WITHOUT ID link(file.link, title) AS "Nota", title AS "Nome" FROM "ttp/techniques/reconnaissance" WHERE type = "technique" SORT title ASC --> | Nota | Nome | | ------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | | [[t1589-gather-victim-identity-information\|T1589 - Gather Victim Identity Information]] | T1589 - Gather Victim Identity Information | | [[t1589-001-credentials\|T1589.001 - Credentials]] | T1589.001 - Credentials | | [[t1589-002-email-addresses\|T1589.002 - Email Addresses]] | T1589.002 - Email Addresses | | [[t1589-003-employee-names\|T1589.003 - Employee Names]] | T1589.003 - Employee Names | | [[t1590-gather-victim-network-information\|T1590 - Gather Victim Network Information]] | T1590 - Gather Victim Network Information | | [[t1590-001-domain-properties\|T1590.001 - Domain Properties]] | T1590.001 - Domain Properties | | [[t1590-002-dns\|T1590.002 - DNS]] | T1590.002 - DNS | | [[t1590-003-network-trust-dependencies\|T1590.003 - Network Trust Dependencies]] | T1590.003 - Network Trust Dependencies | | [[t1590-004-network-topology\|T1590.004 - Network Topology]] | T1590.004 - Network Topology | | [[t1590-005-ip-addresses\|T1590.005 - IP Addresses]] | T1590.005 - IP Addresses | | [[t1590-006-network-security-appliances\|T1590.006 - Network Security Appliances]] | T1590.006 - Network Security Appliances | | [[t1591-gather-victim-org-information\|T1591 - Gather Victim Org Information]] | T1591 - Gather Victim Org Information | | [[t1591-001-determine-physical-locations\|T1591.001 - Determine Physical Locations]] | T1591.001 - Determine Physical Locations | | [[t1591-002-business-relationships\|T1591.002 - Business Relationships]] | T1591.002 - Business Relationships | | [[t1591-003-identify-business-tempo\|T1591.003 - Identify Business Tempo]] | T1591.003 - Identify Business Tempo | | [[t1591-004-identify-roles\|T1591.004 - Identify Roles]] | T1591.004 - Identify Roles | | [[t1592-gather-victim-host-information\|T1592 - Gather Victim Host Information]] | T1592 - Gather Victim Host Information | | [[t1592-001-hardware\|T1592.001 - Hardware]] | T1592.001 - Hardware | | [[t1592-002-software\|T1592.002 - Software]] | T1592.002 - Software | | [[t1592-003-firmware\|T1592.003 - Firmware]] | T1592.003 - Firmware | | [[t1592-004-client-configurations\|T1592.004 - Client Configurations]] | T1592.004 - Client Configurations | | [[t1593-search-open-websitesdomains\|T1593 - Search Open Websites/Domains]] | T1593 - Search Open Websites/Domains | | [[t1593-001-social-media\|T1593.001 - Social Media]] | T1593.001 - Social Media | | [[t1593-002-search-engines\|T1593.002 - Search Engines]] | T1593.002 - Search Engines | | [[t1593-003-code-repositories\|T1593.003 - Code Repositories]] | T1593.003 - Code Repositories | | [[t1594-search-victim-owned-websites\|T1594 - Search Victim-Owned Websites]] | T1594 - Search Victim-Owned Websites | | [[t1595-active-scanning\|T1595 - Active Scanning]] | T1595 - Active Scanning | | [[t1595-001-scanning-ip-blocks\|T1595.001 - Scanning IP Blocks]] | T1595.001 - Scanning IP Blocks | | [[t1595-002-vulnerability-scanning\|T1595.002 - Vulnerability Scanning]] | T1595.002 - Vulnerability Scanning | | [[t1595-003-wordlist-scanning\|T1595.003 - Wordlist Scanning]] | T1595.003 - Wordlist Scanning | | [[t1596-search-open-technical-databases\|T1596 - Search Open Technical Databases]] | T1596 - Search Open Technical Databases | | [[t1596-001-dnspassive-dns\|T1596.001 - DNS/Passive DNS]] | T1596.001 - DNS/Passive DNS | | [[t1596-002-whois\|T1596.002 - WHOIS]] | T1596.002 - WHOIS | | [[t1596-003-digital-certificates\|T1596.003 - Digital Certificates]] | T1596.003 - Digital Certificates | | [[t1596-004-cdns\|T1596.004 - CDNs]] | T1596.004 - CDNs | | [[t1596-005-scan-databases\|T1596.005 - Scan Databases]] | T1596.005 - Scan Databases | | [[t1597-search-closed-sources\|T1597 - Search Closed Sources]] | T1597 - Search Closed Sources | | [[t1597-001-threat-intel-vendors\|T1597.001 - Threat Intel Vendors]] | T1597.001 - Threat Intel Vendors | | [[t1597-002-purchase-technical-data\|T1597.002 - Purchase Technical Data]] | T1597.002 - Purchase Technical Data | | [[t1598-phishing-for-information\|T1598 - Phishing for Information]] | T1598 - Phishing for Information | | [[t1598-001-spearphishing-service\|T1598.001 - Spearphishing Service]] | T1598.001 - Spearphishing Service | | [[t1598-002-spearphishing-attachment\|T1598.002 - Spearphishing Attachment]] | T1598.002 - Spearphishing Attachment | | [[t1598-003-spearphishing-link\|T1598.003 - Spearphishing Link]] | T1598.003 - Spearphishing Link | | [[t1598-004-spearphishing-voice\|T1598.004 - Spearphishing Voice]] | T1598.004 - Spearphishing Voice | | [[t1681-search-threat-vendor-data\|T1681 - Search Threat Vendor Data]] | T1681 - Search Threat Vendor Data | <!-- SerializedQuery END --> --- **Navegação:** [[_techniques|Técnicas]] · [[_tactics|Táticas]] · [[_procedures|Procedimentos]]