T1591.001: Determine Physical Locations
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media).[1][2] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).
Analyst context for executives and security teams
Determine Physical Locations is pre-compromise reconnaissance: an adversary looks for where an organization operates, where key resources or infrastructure are housed, and what jurisdictions may apply. For leaders, the risk is not just “someone knows our address”; location data can help shape phishing, open-source research, operational resource planning, or attempts involving physical presence such as hardware additions.
Executive priority
Treat exposed location information as part of attack-surface and resilience governance. Security, legal, facilities, communications, and compliance teams should know what location details are intentionally public, what is unnecessarily exposed through websites, social media, regulatory filings, or leaked datasets, and what evidence exists that this exposure is reviewed. This matters for incident readiness because location intelligence can influence targeting, jurisdictional response, site-specific business continuity decisions, and cyber-physical risk prioritization.
Technical view
This is an enterprise ATT&CK reconnaissance sub-technique under Gather Victim Org Information on the PRE platform, so coverage is less about endpoint alerts and more about pre-compromise visibility, exposure management, and threat-intelligence monitoring. ATT&CK provides no official detection text, but a related detection strategy, DET0806, is mapped to this object. SOC and detection teams should validate whether they can identify suspicious or unusual collection of public-facing location data, correlate it with related reconnaissance behaviors such as phishing for information, searching victim-owned websites, social media collection, and open website/domain research, and preserve context for IR if later phishing or initial-access activity appears.
Likely telemetry
- Public website and domain content inventories that list offices, facilities, data centers, warehouses, or operational sites
- Social media and public communications mentioning staff locations, site visits, facilities, or operational routines
- Regulatory or public filing exposure, including sources such as SEC EDGAR where applicable
- Threat-intelligence or external attack-surface monitoring for leaked datasets or indexed documents containing location details
- Web analytics or access logs for unusual scraping or repeated access to location-heavy pages, where available
Detection direction
- Use DET0806 as the relationship-backed starting point, but validate locally because no official ATT&CK detection guidance is supplied.
- Baseline normal access to public location pages and tune for unusual scraping patterns, repeated downloads, automation, or access from unexpected sources; expect false positives from customers, partners, researchers, recruiters, and search engines.
- Correlate location-focused collection with adjacent reconnaissance signals named in the ATT&CK description, including phishing for information, searches of victim-owned websites, social media collection, and open website/domain research.
- Review whether SOC workflows capture pre-compromise indicators at all; many environments only detect after credential theft, phishing delivery, or endpoint execution.
- For IR, preserve observed reconnaissance context because it may explain why a specific site, employee population, jurisdiction, or facility became the focus of later activity.
Mitigation priorities
- Apply the mapped M1056 Pre-compromise mitigation theme: reduce unnecessary information exposure before adversaries can use it.
- Inventory public location disclosures across websites, social media, public filings, marketing material, job postings, and accessible datasets.
- Define what location information must remain public for business, legal, or customer reasons, and remove or generalize details that unnecessarily reveal key resources, infrastructure, or operational dependencies.
- Coordinate security with legal, communications, facilities, and business-continuity owners so location disclosures are reviewed consistently and defensibly.
- Train staff who handle public communications or inquiries to recognize direct elicitation attempts for facility, infrastructure, or site-specific details.
Analyst notes and limits
The Magic Hound group is mapped as using this technique, but that relationship should be treated as contextual threat intelligence rather than evidence of current activity against any organization. The supplied references show that adversaries can draw from public and accessible sources such as SEC EDGAR and leaked datasets, but local exposure depends on each organization’s publishing, filing, and data-leak profile.
ATT&CK provides no official detection procedure for this object, and the related detection strategy details are not included here. The platform is PRE, so standard host or network detections may not provide direct coverage. This take does not assess active exploitation, attribution, customer exposure, or guaranteed detectability; those require local telemetry and threat-intelligence evidence.
Determine Physical Locations
Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media).[1][2] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1591 | Gather Victim Org Information | This object subtechnique of Gather Victim Org Information. |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6672f3d210a1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Broadvoice Leak
Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.
Open source URL -
[2]
SEC EDGAR Search
U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack T1591.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.