Reconnaissance
Details
| ID | PT0001 |
| MITRE ATT&CK ID | TA0043 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to gather information they can use to plan entry, movement, and operations.
Reconnaissance consists of techniques for observing facilities, people, and security routines before and during an engagement. This includes site surveillance, open-source research, mapping layouts, identifying cameras and alarm sensors, and learning guard patterns, entry points, and visitor procedures that support later tactics.
Techniques
| ID | Name | Description |
|---|---|---|
| P0001 | Gather Victim Facility Information | Adversaries may gather information about the target facility to plan entry, movement, and collection. This includes building layout, access controls, occupancy patterns, and security-relevant infrastructure. |
| P0001.001 | Facility Plans | Adversaries may obtain floor plans, evacuation routes, door schedules, and other facility documentation through open sources, social engineering, or theft to understand layout and access paths. |
| P0001.002 | Facility Rhythms | Adversaries may study staff rhythms and patterns such as shift changes, break times, delivery schedules, and typical foot traffic to time movement and blend with normal activity. |
| P0002 | Surveillance | Adversaries may observe facilities, people, and security routines to collect information for planning. Surveillance may occur on site or remotely using open sources, cameras, or other collection methods. |
| P0002.001 | On-site Surveillance | Adversaries may conduct surveillance from public or authorized vantage points near the facility, including fixed observation, walk-by reconnaissance, and repeated visits to establish patterns. |
| P0002.002 | Remote Surveillance | Adversaries may collect facility information remotely using open-source research, social media, satellite or street imagery, public records, and other sources without physical presence at the site. |
| P0003 | Gather Victim Facility Perimeter | Adversaries may observe and map the physical perimeter of a target facility to understand boundaries, access points, and external security controls. This includes fencing, walls, gates, vehicle barriers, lighting, cameras along the perimeter, patrol routes, and adjacent property lines that affect approach or escape. |
| P0007 | Social Engineering | Adversaries may manipulate people to obtain access, information, or assistance at a target facility. This includes impersonation, authority appeals, urgency, and other influence tactics at entry points, reception areas, or during escorted movement. |
| P0007.001 | Exploit Business Process | Adversaries may exploit missing, ambiguous, or unenforced business processes to gain access or avoid scrutiny. Weak processes for visitor handling, deliveries, escorts, after-hours access, and contractor workflows can be abused through pretext, policy gaps, or inconsistent enforcement. |
| P0007.002 | Impersonate Staff or Vendor | Adversaries may present themselves as employees, contractors, or vendor personnel to appear legitimate during entry and movement. Impersonation pairs with dress, tools, and behavior expected for the claimed role. |
| P0007.003 | Pose as Visitor or Guest | Adversaries may act as visitors, interview candidates, guests, or event attendees to blend with normal foot traffic. Visitor pretexts often face lighter challenge at reception when appearance and behavior match expected patterns. |
| P0007.004 | Employ Pretext in Conversation | Adversaries may use a prepared cover story when interacting with staff, security, or reception during operations. Consistent pretext in conversation reinforces legitimacy and deflects casual questions about purpose or destination. |
| P0007.005 | Wear Cover Dress | Adversaries may wear clothing, uniforms, PPE, or accessories that match expected roles at the facility during live operations. Cover dress reduces scrutiny compared to out-of-place attire and supports blending with staff, vendors, or visitors. |
| P0007.006 | Employ Pretext via Phone Calls | Adversaries may use a prepared cover story during phone calls to staff, security, reception, or help desks to obtain information or assistance without physical presence at the facility. Phone pretexts can elicit facility details, access procedures, or identities useful for planning and later tactics. |
| P0007.007 | Employ Pretext via Email | Adversaries may use a prepared cover story in email to staff, contractors, or shared mailboxes to obtain information or assistance without physical presence at the facility. Email pretexts can request layouts, visitor procedures, or organizational details that support planning and later tactics. |
| P0039 | Dumpster Diving | Adversaries may search discarded waste from the target facility or personnel to collect information useful for planning. Discarded documents, media, badges, or packaging can reveal floor plans, access procedures, organizational structure, or credentials. |