T1592.002: Software
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Additionally, adversaries may analyze metadata from victim-owned files (e.g., PDFs, DOCs, images, and sound files hosted on victim-owned websites) to extract information about the software and hardware used to create or process those files. Metadata may reveal software versions, configurations, or timestamps that indicate outdated or vulnerable software. This information can be cross-referenced with known CVEs to identify potential vectors for exploitation in future operations.[2]
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or for initial access (ex: Supply Chain Compromise or External Remote Services).
Analyst context for executives and security teams
This technique is about adversaries learning what software an organization uses before an intrusion attempt. The business risk is not the reconnaissance alone; it is that exposed software names, versions, metadata, banners, job postings, assessment reports, or other public clues can help an adversary choose vulnerable systems, tailor phishing, or plan later access paths.
Executive priority
Treat this as a pre-compromise exposure-management issue. Leaders should ask whether internet-facing services, public documents, job posts, resumes, network maps, invoices, and assessment artifacts disclose software versions or defensive tooling. This matters for vulnerability prioritization, external remote service risk, supply-chain discussions, and evidence that the organization is reducing avoidable information leakage before an incident begins.
Technical view
T1592.002 is a PRE-platform reconnaissance sub-technique under Gather Victim Host Information. ATT&CK notes collection through active scanning, phishing for information, malicious content on compromised sites, accessible public datasets, and metadata in victim-owned files. SOC and detection teams should validate whether DET0888-style coverage exists for software reconnaissance signals, but the ATT&CK object provides no official detection text, so local detection logic must be defined from available telemetry. IR and threat intelligence teams should correlate observed scanning, phishing-for-information, and public exposure findings with known software/version disclosures and follow-on risks such as External Remote Services, Supply Chain Compromise, Develop Capabilities, or Obtain Capabilities where relevant.
Likely telemetry
- Internet-facing service inventory, including listening ports and exposed server banners
- Web server and application logs that preserve user agent strings and unusual collection behavior
- Public website content and hosted-file metadata for PDFs, DOCs, images, audio, and similar files
- Records of public or accessible business artifacts such as job postings, resumes, network maps, assessment reports, and purchase invoices
- Phishing reports or intake records involving requests for software, tooling, or environment details
Detection direction
- Start by inventorying what software and version information is publicly observable, because ATT&CK provides no official detection procedure for this sub-technique.
- Tune for reconnaissance patterns that collect banners, user agent strings, hosted documents, or environment details, while accounting for benign scanners, search engines, auditors, partners, and vulnerability management activity.
- Review public documents for metadata that reveals software versions, configurations, or timestamps that may indicate outdated or vulnerable software.
- Correlate software-disclosure findings with vulnerability management data so exposed version details are prioritized by real exploitability and business criticality rather than treated as generic noise.
- Use relationship context carefully: ATT&CK lists use by C0062, Sandworm Team, Magic Hound, and Andariel, but that does not by itself indicate current targeting of any given organization.
Mitigation priorities
- Apply pre-compromise controls focused on reducing information leakage and attack surface before adversaries can use it for targeting.
- Sanitize metadata from public files and establish publishing checks for documents hosted on organization-controlled websites.
- Limit unnecessary disclosure of software products, versions, defensive tooling, network maps, and assessment details in public or broadly accessible materials.
- Reduce unnecessary service exposure and minimize banners or other externally visible details where operationally feasible.
- Align exposure review with vulnerability management so disclosed or externally visible software versions are assessed and remediated based on risk.
Analyst notes and limits
The object is a reconnaissance sub-technique, so useful coverage is often split across threat intelligence, external attack surface management, vulnerability management, phishing intake, and SOC telemetry rather than a single alert. The strongest defensive value is validating what an adversary can learn without access and closing avoidable disclosure paths.
MITRE provides no official detection text for this object. The supplied mitigation relationship is M1056 Pre-compromise, but the relationship description is truncated. Any claim about actual exposure, active exploitation, attribution, or detection coverage requires local telemetry and environment-specific assessment.
Software
Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Additionally, adversaries may analyze metadata from victim-owned files (e.g., PDFs, DOCs, images, and sound files hosted on victim-owned websites) to extract information about the software and hardware used to create or process those files. Metadata may reveal software versions, configurations, or timestamps that indicate outdated or vulnerable software. This information can be cross-referenced with known CVEs to identify potential vectors for exploitation in future operations.[2]
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or for initial access (ex: Supply Chain Compromise or External Remote Services).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1592 | Gather Victim Host Information | This object subtechnique of Gather Victim Host Information. |
Groups, software, and campaigns
G0059: Magic Hound
Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.[1][2][3][4][5]
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
G0138: Andariel
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]
Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
C0062: Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 05bd3359d5b1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ATT ScanBox
Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.
Open source URL -
[2]
Outpost24
Stijn Vande Casteele. (2025, March 31). How to analyze metadata and hide it from hackers. Retrieved July 2, 2025.
Open source URL -
[3]
ThreatConnect Infrastructure Dec 2020
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Open source URL -
[4]
mitre-attack T1592.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.