Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1592.004: Client Configurations

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

EnterpriseT1592.004Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Client Configurations is a pre-compromise reconnaissance behavior where an adversary learns what client environments an organization uses, such as operating systems, versions, architecture, language, time zone, virtualization, and related settings. Its business significance is that small configuration details can help an attacker choose targets, tailor phishing or watering-hole content, prioritize exposed remote services, or prepare capabilities before any alertable intrusion occurs.

Executive priority

Treat this as an attack-surface and information-exposure issue, not just a SOC detection problem. Leaders should ask whether public materials, technical documents, job postings, assessment reports, user-agent exposure, and internet-facing services reveal enough client detail to make targeting easier. Priority should go to reducing unnecessary disclosure, validating reconnaissance visibility, and ensuring incident response can connect early reconnaissance to later initial-access decisions such as external remote services, supply chain exposure, or phishing-driven activity.

Technical view

This is an Enterprise ATT&CK reconnaissance sub-technique on the PRE platform under Gather Victim Host Information. ATT&CK does not provide official detection text for this object, but a related detection strategy, DET0820 Detection of Client Configurations, is mapped to it. SOC and detection engineering teams should validate whether they can observe attempts to infer client configuration through active scanning artifacts, server banners, user-agent strings, phishing-for-information activity, watering-hole style host profiling, and exposure of configuration details in accessible datasets. IR teams should preserve reconnaissance context because these details may explain later tooling, lure content, exploit selection, or targeting decisions.

Likely telemetry

  • Web server, proxy, CDN, and WAF logs showing user-agent collection, unusual client fingerprinting, or repeated probing
  • Internet-facing service logs and scan telemetry, including banner exposure and listening-port observations
  • Email security and phishing-reporting data related to requests for system, endpoint, or configuration information
  • Threat intelligence and external attack-surface management findings for exposed technical documents, job postings, resumes, invoices, network maps, or assessment reports
  • Endpoint/browser or web analytics evidence where visitor host attributes such as language, time zone, OS, architecture, or virtualization indicators may be collected by suspicious content

Detection direction

  • Inventory where client configuration details are exposed externally and compare that exposure against what monitoring can actually see.
  • Tune reconnaissance analytics for repeated or unusual collection of banners, user-agent strings, browser attributes, language/time-zone values, or other host-fingerprinting signals.
  • Correlate pre-compromise reconnaissance indicators with later phishing, external remote service targeting, supply chain concerns, or capability development indicators when available.
  • Account for false positives from legitimate vulnerability scanners, web analytics, CDN services, advertising/marketing scripts, browser compatibility checks, and security testing.
  • Use the DET0820 relationship as a cue to evaluate detection strategy coverage, but do not assume coverage exists because ATT&CK provides no detection details in the supplied object.

Mitigation priorities

  • Reduce unnecessary public disclosure of client operating systems, versions, architectures, remote-access technologies, and assessment details in externally accessible materials.
  • Review internet-facing service banners, user-agent handling, and technical metadata exposure as part of pre-compromise attack-surface management.
  • Apply pre-compromise mitigation principles from M1056: limit information exposure, reduce attack surface, identify adversarial preparation, and make reconnaissance less useful.
  • Establish review processes for job postings, resumes, invoices, network maps, and assessment reports that may reveal client configuration information.
  • Ensure incident response and threat intelligence workflows record reconnaissance findings so they can inform later risk prioritization and control decisions.
Analyst notes and limits

The relationship context links this sub-technique to the broader Gather Victim Host Information technique and shows use by HAFNIUM and the Anthropic AI-orchestrated Campaign. Those relationships indicate ATT&CK-documented relevance, but they should not be treated as evidence of current activity against any specific organization. The strongest practical value is validating what the organization leaks, what it logs, and whether reconnaissance findings are incorporated into risk and IR decisions.

Official ATT&CK detection guidance is not provided for this technique, and the supplied DET0820 relationship does not include detection logic. Platform is PRE, so many observations may occur outside traditional endpoint telemetry. Local exposure reviews, log availability, and business context are required to judge material risk and coverage.

Official MITRE ATT&CK definition

Client Configurations

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning (ex: listening ports, server banners, user agent strings) or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.[1] Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1592 Gather Victim Host Information This object subtechnique of Gather Victim Host Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0125: HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]

Campaign Enterprise

C0062: Anthropic AI-orchestrated Campaign

The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]

Relationship explorer

All related ATT&CK context

uses · Group G0125: HAFNIUM Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Campaign C0062: Anthropic AI-orchestrated Campaign Enterprise detects · Detection Strategy DET0820: Detection of Client Configurations Enterprise subtechnique of · Technique T1592: Gather Victim Host Information Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
c3f603523a6e0958...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle c3f603523a6e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ATT ScanBox

    Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.

    Open source URL
  2. [2]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  3. [3]
    mitre-attack T1592.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use