Gather Application Configuration Information

Info

ID: AT-RE003
Tactic: Reconnaissance
Sub-techniques: Feature Flag Discovery, Fingerprinting
Platforms: PRE

Adversaries may seek to gather environment variables, feature flags, credentials, and network topology details to gain insight into an application’s operational context. They might scrape config files from public code repositories, leverage verbose error messages for debugging info, or analyze DNS records and TLS certificates for subdomains. Equipped with this data, attackers can target specific misconfigurations - like secrets stored in plain text - or plan attacks that circumvent known defenses.

Within cloud ecosystems, an application’s configuration often dictates how microservices interconnect, which ports are open, and where secrets are stored (e.g., environment variables in container definitions). Obtaining these details can reveal escalatory paths, such as internal endpoints that lack strict authentication or ephemeral credentials used for third-party APIs. By pinpointing weaknesses in the application’s deployment model, adversaries maximize their chances of a seamless takeover later on.