Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0841: Detection of Gather Victim Identity Information

DET0841 is a detection strategy entry for identifying activity related to adversaries gathering victim identity information, mapped to ATT&CK technique T15...

EnterpriseDET0841Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0841 is a detection strategy entry for identifying activity related to adversaries gathering victim identity information, mapped to ATT&CK technique T1589. The business significance is that identity details gathered before compromise can improve phishing, targeting, credential theft, and MFA-focused social engineering. Because the official detection strategy has no description, platforms, tactics, or detection logic supplied, organizations should treat this as a prompt to validate whether they can see and govern exposure of employee identity data before it becomes useful to an attacker.

Executive priority

Prioritize this as an identity and reconnaissance risk question: what employee, credential, MFA, and personal information is exposed or obtainable, and who owns reducing that exposure? For leaders, the decision value is in confirming whether IAM, security awareness, threat intelligence, SOC monitoring, and privacy/compliance processes produce evidence that identity data exposure is managed, not merely assumed.

Technical view

This object detects T1589, Gather Victim Identity Information, under reconnaissance with PRE platform context. Since no official detection logic is provided, SOC and detection teams should validate coverage around evidence of identity-information collection and exposure rather than claiming a specific analytic. Focus on monitoring and review of sources that reveal unusual interest in employee names, email addresses, security-question-like data, credentials, or MFA configuration details where those sources exist in the local environment.

Likely telemetry

  • Identity and access management audit logs related to account profile, MFA, and directory lookups
  • Email security and phishing-reporting telemetry for requests seeking employee, credential, or MFA information
  • Web, proxy, or application logs for access to public or internal directories where identity data is published
  • Threat intelligence or external attack surface findings that show exposed employee identity information
  • Help desk, HR, or collaboration platform records involving requests for identity or account details

Detection direction

  • Inventory where identity information is stored, published, queried, or externally exposed before building detections.
  • Validate whether SOC telemetry can distinguish normal business lookup activity from unusual bulk access, scraping-like behavior, or suspicious requests for identity details.
  • Tune for false positives from HR, IT support, recruiting, sales, and compliance workflows that legitimately handle employee identity data.
  • Use the relationship to T1589 as context: detections should support early warning and investigative enrichment for reconnaissance, not only post-compromise alerts.
  • Document blind spots explicitly because the ATT&CK object provides no official detection text or platform-specific guidance.

Mitigation priorities

  • Reduce unnecessary public exposure of employee names, email formats, role details, and account-recovery clues where business needs allow.
  • Strengthen IAM governance around MFA configuration visibility, credential handling, account recovery, and directory access.
  • Train help desk, HR, and user-facing teams to recognize elicitation attempts for identity, credential, or MFA information.
  • Use external exposure reviews and threat intelligence to identify identity data that could support targeting.
  • Ensure incident response playbooks treat identity-information gathering as relevant pre-incident context for phishing, credential, and MFA-related investigations.
Analyst notes and limits

The supplied ATT&CK detection strategy object is sparse: it has a name and external reference but no official description, detection text, platforms, or tactics. The only substantive context is its relationship to T1589, which describes adversaries gathering victim identity information for targeting, including employee names, email addresses, security question responses, credentials, and MFA configurations.

This take does not assert active exploitation, attribution, specific tools, affected platforms, or guaranteed detection coverage. Local telemetry, data exposure, IAM architecture, and business processes must be reviewed to determine practical applicability.

Official MITRE ATT&CK definition

Detection of Gather Victim Identity Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1589 Gather Victim Identity Information This object detects Gather Victim Identity Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1589: Gather Victim Identity Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
21d48e4468e5193e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 21d48e4468e5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0841
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use