Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1592: Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.[2]

EnterpriseT1592TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Gather Victim Host Information is pre-compromise reconnaissance: an adversary learns what hosts, operating systems, software, firmware, hardware, and client configurations an organization exposes or reveals. The business issue is not the collection alone; it is that accurate host knowledge can make later targeting, capability selection, phishing, external remote service targeting, or supply-chain decisions more efficient for the adversary.

Executive priority

Treat this as an attack-surface and readiness problem. Leaders should ask whether the organization knows what host details are publicly exposed through websites, headers, scans, social media, technical databases, and user interactions. Priority should go to reducing unnecessary disclosure, validating external visibility, and ensuring SOC and incident response teams can recognize reconnaissance before it becomes initial access. This is especially material where critical infrastructure or OT adjacency exists, because the supplied ATT&CK relationship notes Volt Typhoon targeting patterns assessed as pre-positioning toward OT assets.

Technical view

This is an enterprise ATT&CK reconnaissance technique on the PRE platform. MITRE provides no official detection text, but a detection strategy relationship exists as DET0826. SOC and detection teams should validate visibility into pre-compromise evidence: active scanning against victim-owned infrastructure, phishing-for-information activity, watering-hole style host fingerprinting, User-Agent collection, and exposure through public websites or open technical data sources. Use the sub-technique structure to organize coverage for hardware, software, firmware, and client configuration disclosure rather than treating all host information as one generic signal.

Likely telemetry

  • Public-facing web server, CDN, reverse proxy, and WAF logs including User-Agent strings and request patterns
  • External attack surface inventory and scan observations for victim-owned hosts and services
  • DNS, domain, certificate, and other open technical database exposure relevant to host naming or service details
  • Phishing reports and mail/security gateway records involving requests for technical host or configuration information
  • Website content, metadata, documentation, and downloadable files that may reveal host names, IPs, software, firmware, or configurations

Detection direction

  • Because MITRE supplies no official detection logic, first confirm collection coverage before writing alerts.
  • Baseline normal scanning and web traffic to reduce false positives from legitimate researchers, search engines, uptime monitoring, and vulnerability management activity.
  • Look for unusual clustering of requests that enumerate host details, probe technology stacks, or vary User-Agent strings in ways consistent with fingerprinting.
  • Review whether web applications or compromised third-party content could collect visitor host details, as described in the ScanBox reference.
  • Correlate reconnaissance signals with related ATT&CK paths such as Active Scanning, Phishing for Information, Search Victim-Owned Websites, Search Open Technical Databases, External Remote Services, and Supply Chain Compromise.

Mitigation priorities

  • Apply the ATT&CK M1056 Pre-compromise mitigation concept: reduce what adversaries can learn before access is attempted.
  • Limit unnecessary publication of host names, IP assignments, software versions, firmware details, architectural details, and client configuration data.
  • Harden public websites and documentation processes so operational or configuration details are not exposed unintentionally.
  • Maintain an external attack surface review process that compares what defenders believe is exposed with what outsiders can observe.
  • Train reporting channels and response playbooks for phishing that seeks technical environment details, not only credentials.
Analyst notes and limits

The most useful defensive output is an exposure inventory: what host information is visible, where it is visible, whether it is necessary, and which controls or owners can reduce it. This technique often produces weak standalone alerts, so value comes from correlation with scanning, phishing, public exposure, and later initial-access attempts.

The supplied ATT&CK object is a high-level reconnaissance technique with platform PRE and no official detection text. DET0826 is related but no strategy details were supplied. Local web, email, external exposure, and asset inventory data are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Gather Victim Host Information

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.[2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1592.001 Hardware Sub-technique Hardware subtechnique of this object.
Enterprise T1592.003 Firmware Sub-technique Firmware subtechnique of this object.
Enterprise T1592.002 Software Sub-technique Software subtechnique of this object.
Enterprise T1592.004 Client Configurations Sub-technique Client Configurations subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0826: Detection of Gather Victim Host Information Enterprise uses · Group G1017: Volt Typhoon Enterprise subtechnique of · Technique T1592.001: Hardware Enterprise subtechnique of · Technique T1592.003: Firmware Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1592.002: Software Enterprise subtechnique of · Technique T1592.004: Client Configurations Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
79a6e382f284a63f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 79a6e382f284…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ATT ScanBox

    Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

    Open source URL
  2. [2]
    TrellixQakbot

    Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved August 1, 2024.

    Open source URL
  3. [3]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  4. [4]
    mitre-attack T1592
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use