Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1592.003: Firmware

Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or Exploit Public-Facing Application).

EnterpriseT1592.003Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Firmware reconnaissance matters because it can help an adversary understand the age, configuration, purpose, or patch posture of important hosts before any intrusion occurs. For leaders, the practical issue is not just firmware itself; it is whether internal technical details are leaking through public documents, procurement records, resumes, assessment reports, network maps, or phishing-for-information activity and enabling better targeting.

Executive priority

Treat this as a pre-compromise exposure and resilience issue. Security leaders should ask whether firmware and host inventory details are governed as sensitive operational information, whether public-facing and third-party materials reveal unnecessary technical specifics, and whether incident response and vulnerability prioritization can quickly assess risk if firmware details appear in exposed datasets. This is especially relevant to audit evidence around asset governance, information handling, and reconnaissance-resistant security posture.

Technical view

This is an ATT&CK Enterprise reconnaissance sub-technique under Gather Victim Host Information, with platform PRE. SOC, threat intelligence, and IR teams should validate how they would identify attempts to collect or expose host firmware information before compromise. MITRE provides no official detection text for this object, but the relationship to DET0818 indicates a detection strategy exists for firmware reconnaissance. Teams should focus on evidence of external information exposure and suspicious elicitation rather than endpoint-only telemetry.

Likely telemetry

  • Publicly accessible documents and websites that may contain firmware versions, host types, network maps, assessment reports, purchase invoices, or technical resumes
  • Security awareness or reporting data for phishing-for-information attempts that ask about host, hardware, or firmware details
  • Threat intelligence monitoring for exposed datasets or leaked proprietary technical data referencing firmware or host configurations
  • Asset and firmware inventory records used to compare what is internally known versus what is externally exposed
  • Vulnerability management records that map firmware versions to age, patch level, and business-critical systems

Detection direction

  • Because official detection guidance is not provided, validate coverage through exposure review, threat intelligence collection, and phishing-report triage rather than assuming automated detection exists.
  • Tune monitoring for unusual or repeated requests for host firmware, hardware model, version, or configuration details, especially when framed as procurement, support, recruiting, or assessment activity.
  • Compare external-facing information against internal asset inventories to identify where firmware or host configuration details are unnecessarily disclosed.
  • Use the relationship to Gather Victim Host Information to correlate firmware exposure with broader reconnaissance indicators such as searches of public websites, technical databases, or phishing-for-information activity.
  • Account for false positives: legitimate vendor support, procurement, audit, and engineering workflows may require firmware details, so detection should emphasize unauthorized channels, unnecessary public exposure, and abnormal request context.

Mitigation priorities

  • Apply pre-compromise controls first: reduce exposed technical detail in public documents, postings, resumes, diagrams, invoices, and assessment artifacts where business need does not require disclosure.
  • Classify firmware and detailed host configuration information as sensitive operational data and define approval paths for sharing it externally.
  • Maintain accurate internal firmware inventory so vulnerability and incident response teams can quickly determine business exposure if firmware details become public.
  • Train staff who handle procurement, support, engineering, recruiting, and assessments to recognize phishing-for-information requests about host firmware or configuration.
  • Review third-party and supplier information-sharing practices, since accessible datasets can reveal technical details even when the organization does not publish them directly.
Analyst notes and limits

The decision value is in reducing adversary preparation advantage. Firmware details can help infer host purpose, configuration, age, or patch level, which may influence later reconnaissance, capability development or acquisition, supply chain considerations, or exploitation planning as described by ATT&CK. Defensive validation should therefore include information governance, external exposure management, threat intelligence, and IR readiness, not only traditional endpoint alerting.

The supplied ATT&CK object has no official detection text, no procedure examples, and only PRE platform scope. The M1056 mitigation relationship is provided at a high level and its description is truncated in the source material. Local environment evidence is required to determine whether firmware information is actually exposed, sensitive, or business-critical.

Official MITRE ATT&CK definition

Firmware

Adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or Exploit Public-Facing Application).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1592 Gather Victim Host Information This object subtechnique of Gather Victim Host Information.
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0818: Detection of Firmware Enterprise subtechnique of · Technique T1592: Gather Victim Host Information Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f205a40ad4a28040...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f205a40ad4a2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ArsTechnica Intel

    Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel source code and proprietary data dumped online. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1592.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use