Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Reconnaissance
  4. >ATTACK-T1592
ATTACK-T1592Active

Gather Victim Host Information

Statement

Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Supply Chain Compromise or External Remote Services).

Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)

Location

Tactic
Reconnaissance

Technique Details

Identifier
ATTACK-T1592
ATT&CK Page
View on MITRE

Tactics

Reconnaissance

Platforms

PRE

Detection

Detection of Gather Victim Host Information

Mitigations

Pre-compromise: Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

  • Regularly audit and sanitize publicly available data, including job posts, websites, and social media.
  • Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

  • Enable DNSSEC and use WHOIS privacy protection.
  • Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

  • Use tools like Shodan, Censys to monitor your external attack surface.
  • Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

  • Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

  • Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.
  • Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

  • Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

No cross-framework mappings available

← Back to Reconnaissance
Reconnaissance45 controls
ATTACK-T1589Gather Victim Identity InformationATTACK-T1589.001CredentialsATTACK-T1589.002Email AddressesATTACK-T1589.003Employee NamesATTACK-T1590Gather Victim Network InformationATTACK-T1590.001Domain PropertiesATTACK-T1590.002DNSATTACK-T1590.003Network Trust DependenciesATTACK-T1590.004Network TopologyATTACK-T1590.005IP AddressesATTACK-T1590.006Network Security AppliancesATTACK-T1591Gather Victim Org InformationATTACK-T1591.001Determine Physical LocationsATTACK-T1591.002Business RelationshipsATTACK-T1591.003Identify Business TempoATTACK-T1591.004Identify RolesATTACK-T1592Gather Victim Host InformationATTACK-T1592.001HardwareATTACK-T1592.002SoftwareATTACK-T1592.003FirmwareATTACK-T1592.004Client ConfigurationsATTACK-T1593Search Open Websites/DomainsATTACK-T1593.001Social MediaATTACK-T1593.002Search EnginesATTACK-T1593.003Code RepositoriesATTACK-T1594Search Victim-Owned WebsitesATTACK-T1595Active ScanningATTACK-T1595.001Scanning IP BlocksATTACK-T1595.002Vulnerability ScanningATTACK-T1595.003Wordlist ScanningATTACK-T1596Search Open Technical DatabasesATTACK-T1596.001DNS/Passive DNSATTACK-T1596.002WHOISATTACK-T1596.003Digital CertificatesATTACK-T1596.004CDNsATTACK-T1596.005Scan DatabasesATTACK-T1597Search Closed SourcesATTACK-T1597.001Threat Intel VendorsATTACK-T1597.002Purchase Technical DataATTACK-T1598Phishing for InformationATTACK-T1598.001Spearphishing ServiceATTACK-T1598.002Spearphishing AttachmentATTACK-T1598.003Spearphishing LinkATTACK-T1598.004Spearphishing VoiceATTACK-T1681Search Threat Vendor Data