ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Stage 1: Reconnaissance
The foundational phase of the Identity Attack Chain where adversaries silently map your identity infrastructure
What Happens During Reconnaissance
Reconnaissance is the attacker's information-gathering phase, focused entirely on understanding the identity surface of an organization. This stage does not involve authentication attempts—it is quiet, external, passive, and often invisible unless identity endpoints leak information.
Identity recon is the foundation for everything that follows in the attack chain. Without this intelligence, adversaries cannot effectively target your users, spray credentials, or craft sophisticated phishing campaigns.
Attacker Intelligence Targets
  • Organizational email patterns
  • Public UPN formats
  • Exposed identity endpoints
  • MFA prompt timing
  • Cloud tenant identifiers
  • Federation metadata
  • OAuth consent flows
Identify Authentication Methods
Map how users authenticate across cloud and on-premises systems
Discover Naming Conventions
Understand email formats and UPN structures for enumeration
Locate Cloud Tenants
Identify tenant IDs, realms, and federation trust relationships
Find Weak Login Surfaces
Detect misconfigured endpoints and information-leaking error messages
Critical Misconfigurations & Detection
1
MC-001: Publicly Exposed User Identifiers
Identity endpoints reveal usernames, alias formats, or email patterns through default error messages. Attackers use these verbose responses to validate account existence and build precise target lists.
2
MC-075: Weak Network Segmentation
Identity surfaces including login portals, cloud tenants, and federation metadata are accessible from anywhere without throttling, geographic restrictions, or network segmentation controls.
Detection Logic for Stage 1 Reconnaissance
DL-001: External Enumeration
Detects high-rate probing, unknown ASNs, and bulk identity lookups from external sources
DL-009: Failed Endpoint Lookups
Identifies repeated failed lookups on identity endpoints indicating username guessing
DL-010: Naming Pattern Probes
Catches high-volume brute-force enumeration of email and UPN structures
Threat Intelligence & Attack Chain Context
Breach Patterns Using Stage 1
BP-001: Domain & Identity Surface Scanning
Comprehensive mapping of exposed identity infrastructure
BP-002: Cloud Tenant Discovery
Identifying cloud service tenants and configurations
BP-003: Federation Metadata Collection
Harvesting SAML and OAuth federation details
BP-004: Email Pattern Harvesting
Building username lists from public information
Active Threat Actors
APT28 (ICTAM-002)
Russian state-sponsored group with heavy use of identity probing and reconnaissance
MuddyWater (ICTAM-007)
Iranian threat actor conducting large-scale recon campaigns targeting government sectors
Volt Typhoon (ICTAM-004)
Chinese APT leveraging hybrid reconnaissance for cross-environment pivots
Cloud Identity Drifter (ICTAM-021)
Opportunistic scanning group targeting misconfigured cloud identity services

How Stage 1 Powers the Attack Chain
Stage 1 → Stage 2 → Stage 3 → Stage 4 represents the progression from Reconnaissance to Enumeration to Credential Compromise to Authentication Abuse.
Without identity reconnaissance, attackers cannot build username lists, spray intelligently, choose high-value targets, craft federation abuse paths, create convincing phishing templates, or test authentication behavior. Stage 1 is the reconnaissance layer that powers the entire Identity Attack Chain.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation