MITRE ATT&CK Technique
Reconnaissance T1592.004
Description

Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

Supported Platforms
PRE
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-10-02T16:47:16.719Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': "Adversaries may gather information about the victim's client "
                'configurations that can be used during targeting. Information '
                'about client configurations may include a variety of details '
                'and settings, including operating system/version, '
                'virtualization, architecture (ex: 32 or 64 bit), language, '
                'and/or time zone.\n'
                '\n'
                'Adversaries may gather this information in various ways, such '
                'as direct collection actions via [Active '
                'Scanning](https://attack.mitre.org/techniques/T1595) (ex: '
                'listening ports, server banners, user agent strings) or '
                '[Phishing for '
                'Information](https://attack.mitre.org/techniques/T1598). '
                'Adversaries may also compromise sites then include malicious '
                'content designed to collect host information from '
                'visitors.(Citation: ATT ScanBox) Information about the client '
                'configurations may also be exposed to adversaries via online '
                'or other accessible data sets (ex: job postings, network '
                'maps, assessment reports, resumes, or purchase invoices). '
                'Gathering this information may reveal opportunities for other '
                'forms of reconnaissance (ex: [Search Open '
                'Websites/Domains](https://attack.mitre.org/techniques/T1593) '
                'or [Search Open Technical '
                'Databases](https://attack.mitre.org/techniques/T1596)), '
                'establishing operational resources (ex: [Develop '
                'Capabilities](https://attack.mitre.org/techniques/T1587) or '
                '[Obtain '
                'Capabilities](https://attack.mitre.org/techniques/T1588)), '
                'and/or initial access (ex: [Supply Chain '
                'Compromise](https://attack.mitre.org/techniques/T1195) or '
                '[External Remote '
                'Services](https://attack.mitre.org/techniques/T1133)).',
 'external_references': [{'external_id': 'T1592.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1592/004'},
                         {'description': 'Blasco, J. (2014, August 28). '
                                         'Scanbox: A Reconnaissance Framework '
                                         'Used with Watering Hole Attacks. '
                                         'Retrieved October 19, 2020.',
                          'source_name': 'ATT ScanBox',
                          'url': 'https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks'},
                         {'description': 'ThreatConnect. (2020, December 15). '
                                         'Infrastructure Research and Hunting: '
                                         'Boiling the Domain Ocean. Retrieved '
                                         'October 12, 2021.',
                          'source_name': 'ThreatConnect Infrastructure Dec '
                                         '2020',
                          'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
 'id': 'attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'reconnaissance'}],
 'modified': '2025-10-24T17:48:58.431Z',
 'name': 'Client Configurations',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.1'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (1)
HAFNIUM
High
Back to TTPs
Dashboard About