MITRE ATT&CK Technique
Description
Adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). Adversaries may also gather victim host information via User-Agent HTTP headers, which are sent to a server to identify the application, operating system, vendor, and/or version of the requesting user agent. This can be used to inform the adversary’s follow-on action. For example, adversaries may check user agents for the requesting operating system, then only serve malware for target operating systems while ignoring others.(Citation: TrellixQakbot)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-02T16:39:33.966Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': "Adversaries may gather information about the victim's hosts "
'that can be used during targeting. Information about hosts '
'may include a variety of details, including administrative '
'data (ex: name, assigned IP, functionality, etc.) as well as '
'specifics regarding its configuration (ex: operating system, '
'language, etc.).\n'
'\n'
'Adversaries may gather this information in various ways, such '
'as direct collection actions via [Active '
'Scanning](https://attack.mitre.org/techniques/T1595) or '
'[Phishing for '
'Information](https://attack.mitre.org/techniques/T1598). '
'Adversaries may also compromise sites then include malicious '
'content designed to collect host information from '
'visitors.(Citation: ATT ScanBox) Information about hosts may '
'also be exposed to adversaries via online or other accessible '
'data sets (ex: [Social '
'Media](https://attack.mitre.org/techniques/T1593/001) or '
'[Search Victim-Owned '
'Websites](https://attack.mitre.org/techniques/T1594)). '
'Gathering this information may reveal opportunities for other '
'forms of reconnaissance (ex: [Search Open '
'Websites/Domains](https://attack.mitre.org/techniques/T1593) '
'or [Search Open Technical '
'Databases](https://attack.mitre.org/techniques/T1596)), '
'establishing operational resources (ex: [Develop '
'Capabilities](https://attack.mitre.org/techniques/T1587) or '
'[Obtain '
'Capabilities](https://attack.mitre.org/techniques/T1588)), '
'and/or initial access (ex: [Supply Chain '
'Compromise](https://attack.mitre.org/techniques/T1195) or '
'[External Remote '
'Services](https://attack.mitre.org/techniques/T1133)).\n'
'\n'
'Adversaries may also gather victim host information via '
'User-Agent HTTP headers, which are sent to a server to '
'identify the application, operating system, vendor, and/or '
'version of the requesting user agent. This can be used to '
'inform the adversary’s follow-on action. For example, '
'adversaries may check user agents for the requesting '
'operating system, then only serve malware for target '
'operating systems while ignoring others.(Citation: '
'TrellixQakbot)',
'external_references': [{'external_id': 'T1592',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1592'},
{'description': 'Blasco, J. (2014, August 28). '
'Scanbox: A Reconnaissance Framework '
'Used with Watering Hole Attacks. '
'Retrieved October 19, 2020.',
'source_name': 'ATT ScanBox',
'url': 'https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks'},
{'description': 'Pham Duy Phuc, John Fokker J.E., '
'Alejandro Houspanossian and '
'Mathanraj Thangaraju. (2023, March '
'7). Qakbot Evolves to OneNote '
'Malware Distribution. Retrieved '
'August 1, 2024.',
'source_name': 'TrellixQakbot',
'url': 'https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
'id': 'attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'reconnaissance'}],
'modified': '2025-10-24T17:48:21.583Z',
'name': 'Gather Victim Host Information',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Sam Seabrook, Duke Energy'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}