T1592.001: Hardware
Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: hostnames, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Compromise Hardware Supply Chain or Hardware Additions).
Analyst context for executives and security teams
Hardware reconnaissance is pre-compromise intelligence gathering about an organization’s host hardware, versions, and protective components such as card readers, biometric readers, or dedicated encryption hardware. The business issue is not the collection alone; it is that exposed hardware details can help an adversary choose better targets, tailor follow-on reconnaissance, prepare capabilities, or identify paths toward hardware supply-chain compromise or hardware additions.
Executive priority
Treat this as an attack-surface governance and resilience issue. Leaders should ask whether public-facing content, procurement artifacts, job postings, resumes, assessment reports, network maps, and web responses disclose hardware details that would make targeting easier. This matters for vulnerability prioritization, supply-chain risk discussions, physical/cyber convergence, and audit evidence showing that pre-compromise exposure is reviewed and reduced before an incident begins.
Technical view
This is an Enterprise ATT&CK reconnaissance sub-technique under Gather Victim Host Information and applies to the PRE platform. SOC, threat intelligence, and IR teams should validate whether they can see likely collection paths: active scanning that captures hostnames, server banners, and user-agent strings; phishing-for-information attempts; and suspicious web or watering-hole interactions intended to collect visitor host information. Because MITRE provides no official detection text for this object, detection engineering should focus on exposure review, reconnaissance analytics, and correlation with related reconnaissance activity rather than assuming deterministic alerts.
Likely telemetry
- Internet-facing web, proxy, CDN, and load balancer logs showing requests, user-agent strings, hostnames, headers, and banner-revealing behavior
- External attack-surface management or scan results identifying exposed host and hardware-related details
- Email security, phishing-reporting, and help desk records for requests seeking hardware, workstation, device, or infrastructure details
- Web analytics and browser/proxy telemetry that may show visits to compromised or suspicious sites collecting host information
- Public-source review evidence from job postings, resumes, assessment reports, network maps, procurement records, purchase invoices, and other accessible datasets
Detection direction
- Confirm whether DET0887 or any local equivalent has concrete analytics for this behavior; the supplied relationship says a detection strategy exists, but no detection logic is provided here.
- Tune for reconnaissance patterns that request or infer host hardware details, while accounting for benign scanners, asset inventory tools, vulnerability management, search engine crawlers, and legitimate procurement or support workflows.
- Review externally visible banners, hostnames, user-agent exposure, and public documents for unnecessary hardware specificity; detection may require combining technical telemetry with public-source exposure management.
- Correlate hardware-focused collection with broader reconnaissance behaviors such as active scanning, phishing for information, open website/domain searching, and open technical database searching.
- Do not rely only on endpoint telemetry: this behavior is pre-compromise and may occur entirely outside the victim environment through public data sources.
Mitigation priorities
- Prioritize the ATT&CK M1056 pre-compromise mitigation theme: reduce the information adversaries can collect before intrusion.
- Limit unnecessary publication of hardware models, versions, infrastructure diagrams, device inventories, defensive hardware references, and procurement details in public or broadly accessible materials.
- Review internet-facing services for banners, headers, hostnames, and responses that disclose hardware or infrastructure details not required for operations.
- Coordinate security, IT, procurement, HR, facilities, and communications teams so job postings, resumes, invoices, assessment reports, and network maps do not unintentionally expose sensitive hardware information.
- Use findings to inform supply-chain, hardware-addition, and physical access risk reviews where exposed hardware details could support follow-on targeting.
Analyst notes and limits
The object is a sub-technique of T1592, Gather Victim Host Information, and is limited to reconnaissance on the PRE platform. The description explicitly links collection methods to Active Scanning, Phishing for Information, compromised sites with malicious content, and accessible datasets. It also notes that hardware information may support additional reconnaissance, capability development or acquisition, and initial access paths such as hardware supply-chain compromise or hardware additions.
MITRE does not provide official detection text for this object, and the supplied DET0887 relationship includes no analytic details. Assessment of risk and coverage requires local evidence of public exposure, logging depth, scan visibility, phishing workflows, and governance over published business and technical information.
Hardware
Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: hostnames, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Compromise Hardware Supply Chain or Hardware Additions).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1592 | Gather Victim Host Information | This object subtechnique of Gather Victim Host Information. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 89547eae59a8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ATT ScanBox
Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.
Open source URL -
[2]
ThreatConnect Infrastructure Dec 2020
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Open source URL -
[3]
mitre-attack T1592.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.