title: Determine Physical Locations (T1591.001)
id: df00tech-t1591-001
status: experimental
description: "Adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. Adversaries may gather this information via direct elicitation through phishing for information, by searching victim-owned websites, or by leveraging publicly accessible data sets such as SEC EDGAR filings, WHOIS registration records, and social media. This reconnaissance technique is largely external to the victim environment, making direct detection extremely limited. Observable signals include automated scraping of organization-owned web properties, OSINT tool execution on managed endpoints, and email-based location elicitation attempts."
references:
  - https://attack.mitre.org/techniques/T1591/001/
  - https://df00tech.com/detections/T1591.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1591.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate search engine crawlers (Googlebot, Bingbot, DuckDuckBot) accessing public location pages — filter by known good crawler IP ranges published by Google and Microsoft"
  - Internal IT security teams or authorized penetration testers executing OSINT tools on managed endpoints during sanctioned assessments — correlate against approved change tickets
  - Marketing or business development teams using web scraping tools for competitive intelligence or market research — verify user account context and business justification
  - "Website uptime monitoring and accessibility checking services (UptimeRobot, Pingdom, StatusCake) that regularly access contact/about pages to verify availability"
level: low