DET0806: Detection of Determine Physical Locations

DET0806 is a detection strategy entry for spotting reconnaissance aimed at determining an organization’s physical locations. Even though the ATT&CK entry d...

EnterpriseDET0806Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0806 is a detection strategy entry for spotting reconnaissance aimed at determining an organization’s physical locations. Even though the ATT&CK entry does not provide an official detection method, the related technique matters because location intelligence can help an adversary refine targeting, understand where critical resources or infrastructure are housed, and infer legal or jurisdictional context. For leaders, this is a reminder that reconnaissance is not only digital: public or elicited location details can influence later operational, legal, and physical-risk decisions.

Executive priority

Treat this as a governance and readiness issue rather than a single-tool detection problem. Security leaders should ask what physical-location information is publicly exposed, who owns decisions about reducing that exposure, and whether SOC, threat intelligence, facilities, legal, and incident response teams share a common process for assessing suspicious collection of site information. The priority is strongest where offices, data centers, production sites, or other key resources are material to business continuity or regulatory obligations.

Technical view

The supplied ATT&CK object has no official description, detection text, platforms, or tactics of its own. Its relationship indicates that it detects T1591.001, Determine Physical Locations, a reconnaissance technique on the PRE platform. SOC and threat intelligence teams should therefore validate whether they can identify unusual or repeated attempts to collect location-related information, especially through channels where physical site details may be published, requested, or elicited. Detection engineering should avoid assuming endpoint or cloud telemetry is sufficient, because the related behavior occurs before intrusion and may be visible mainly in external-facing, communications, and intelligence sources.

Likely telemetry

Public web and corporate site content changes involving office, facility, infrastructure, or jurisdictional details
Inbound inquiries to public contact points, reception, helpdesk, sales, recruiting, or media channels requesting location-specific information
Email or messaging records for suspected phishing-for-information attempts involving physical locations
Threat intelligence or external attack surface observations of scraped or aggregated organization location data
Web access and bot activity against pages that publish site, facility, executive, or infrastructure location information

Detection direction

Confirm which teams monitor reconnaissance-stage activity, since the related ATT&CK platform is PRE and evidence may sit outside traditional host or network detections.
Build review logic around suspicious patterns of location inquiry, not just single events; false positives may include customers, vendors, job candidates, media, auditors, and legitimate visitors.
Correlate repeated external interest in specific sites with other reconnaissance indicators when available, such as phishing-for-information themes or unusual scraping of public location pages.
Validate whether public-facing location data is intentionally published, approved, and current; detection is harder when sensitive site details are broadly exposed by design.
Document gaps explicitly because the ATT&CK object provides no official detection analytics or platform-specific guidance.

Mitigation priorities

Inventory what physical-location information is publicly available and determine which details are necessary for business operations.
Establish ownership across security, facilities, communications, legal, and business units for approving location disclosures.
Train public-facing staff to recognize and escalate unusual requests for site, infrastructure, or jurisdictional information.
Reduce unnecessary detail in public materials where it creates avoidable operational or cyber-physical risk.
Integrate reconnaissance findings into incident response and threat intelligence workflows so repeated location-focused collection is assessed alongside other pre-attack activity.

Analyst notes and limits

This take is based on the detection strategy object DET0806 and its relationship to T1591.001, Determine Physical Locations. Because the object itself lacks official description, detection content, tactics, and platforms, the practical guidance is framed from the related technique’s reconnaissance context and should be validated against local business operations and telemetry.

ATT&CK supplies no official detection method for DET0806 and no platforms or tactics directly on the detection strategy object. The related technique description is partially supplied and supports only conservative conclusions about reconnaissance for physical-location information. Local environment evidence is required to determine actual exposure, monitoring coverage, and priority.

Official MITRE ATT&CK definition

Detection of Determine Physical Locations

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1591.001	Determine Physical Locations Sub-technique	This object detects Determine Physical Locations.

Relationship explorer

All related ATT&CK context

detects · Technique T1591.001: Determine Physical Locations Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: 1ac6bfcb9ca2e021...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`1ac6bfcb9ca2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0806
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use