MITRE ATT&CK Technique
Description
Adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-02T16:40:47.488Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': "Adversaries may gather information about the victim's host "
'hardware that can be used during targeting. Information about '
'hardware infrastructure may include a variety of details such '
'as types and versions on specific hosts, as well as the '
'presence of additional components that might be indicative of '
'added defensive protections (ex: card/biometric readers, '
'dedicated encryption hardware, etc.).\n'
'\n'
'Adversaries may gather this information in various ways, such '
'as direct collection actions via [Active '
'Scanning](https://attack.mitre.org/techniques/T1595) (ex: '
'hostnames, server banners, user agent strings) or [Phishing '
'for Information](https://attack.mitre.org/techniques/T1598). '
'Adversaries may also compromise sites then include malicious '
'content designed to collect host information from '
'visitors.(Citation: ATT ScanBox) Information about the '
'hardware infrastructure may also be exposed to adversaries '
'via online or other accessible data sets (ex: job postings, '
'network maps, assessment reports, resumes, or purchase '
'invoices). Gathering this information may reveal '
'opportunities for other forms of reconnaissance (ex: [Search '
'Open '
'Websites/Domains](https://attack.mitre.org/techniques/T1593) '
'or [Search Open Technical '
'Databases](https://attack.mitre.org/techniques/T1596)), '
'establishing operational resources (ex: [Develop '
'Capabilities](https://attack.mitre.org/techniques/T1587) or '
'[Obtain '
'Capabilities](https://attack.mitre.org/techniques/T1588)), '
'and/or initial access (ex: [Compromise Hardware Supply '
'Chain](https://attack.mitre.org/techniques/T1195/003) or '
'[Hardware '
'Additions](https://attack.mitre.org/techniques/T1200)).',
'external_references': [{'external_id': 'T1592.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1592/001'},
{'description': 'Blasco, J. (2014, August 28). '
'Scanbox: A Reconnaissance Framework '
'Used with Watering Hole Attacks. '
'Retrieved October 19, 2020.',
'source_name': 'ATT ScanBox',
'url': 'https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
'id': 'attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:48:32.066Z',
'name': 'Hardware',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}