Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0869: Detection of Gather Victim Network Information

DET0869 is a detection strategy placeholder for identifying activity related to adversaries gathering information about a victim’s network. Even though the...

EnterpriseDET0869Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0869 is a detection strategy placeholder for identifying activity related to adversaries gathering information about a victim’s network. Even though the ATT&CK object does not provide detection logic, the linked technique, T1590, matters because network ranges, domain names, topology, and operational details can help an adversary make later targeting more efficient. For leaders, the value is in asking whether the organization can see and explain external reconnaissance against its network presence before it becomes an incident-response problem.

Executive priority

Treat this as a readiness and exposure-management question rather than a single alert rule. Security leaders should validate whether public-facing network information is inventoried, monitored, and governed, and whether SOC and incident response teams have usable evidence when suspicious reconnaissance is reported. This supports business continuity by reducing blind spots around internet-facing assets, audit evidence around monitoring practices, and prioritization of controls for externally visible infrastructure.

Technical view

The supplied detection strategy has no official detection text, platforms, or tactics, but it is related to ATT&CK technique T1590, Gather Victim Network Information, under reconnaissance with PRE platform context. SOC and detection teams should map local visibility to evidence of attempts to enumerate or collect information about the organization’s network footprint, such as IP ranges, domains, and externally observable topology. Detection validation should focus on whether relevant telemetry exists, is retained, and can be correlated with asset ownership and exposure data.

Likely telemetry

  • External-facing asset inventory and ownership records
  • DNS registration, DNS query, and domain monitoring data where available
  • Public IP range and network allocation records
  • Internet-facing service discovery or exposure-management results
  • Web, proxy, firewall, and perimeter logs that may show unusual information-gathering patterns

Detection direction

  • Because MITRE provides no official detection logic for DET0869, first validate data coverage rather than assuming alert coverage.
  • Correlate suspicious external reconnaissance indicators with known corporate domains, IP ranges, and internet-facing services.
  • Tune detections to distinguish benign research, partner activity, vulnerability scanning, and internal security testing from unexplained third-party collection activity.
  • Use the relationship to T1590 to frame detection around reconnaissance of administrative network data and topology, not post-compromise host behavior.
  • Check blind spots in unmanaged assets, newly acquired domains, cloud-hosted public endpoints, and infrastructure not represented in the asset inventory.

Mitigation priorities

  • Maintain an accurate inventory of domains, public IP ranges, and internet-facing services.
  • Reduce unnecessary public exposure of network and topology details where business requirements allow.
  • Define ownership and escalation paths for suspicious reconnaissance findings.
  • Align SOC monitoring, threat intelligence intake, and exposure-management processes so findings can be triaged consistently.
  • Retain evidence needed to support incident response and compliance questions about monitoring of externally visible infrastructure.
Analyst notes and limits

This take is based on the ATT&CK detection strategy DET0869 and its relationship to T1590, Gather Victim Network Information. The object itself is sparse: no official description, detection text, platforms, or tactics are provided. The practical interpretation therefore comes from the related technique’s reconnaissance context and description of adversaries collecting network information such as IP ranges, domain names, topology, and operational details.

No active exploitation, actor attribution, specific tooling, concrete analytics, or guaranteed detection coverage is supported by the supplied fields. Local environment evidence is required to determine which telemetry sources exist, what is externally exposed, and which detections are feasible.

Official MITRE ATT&CK definition

Detection of Gather Victim Network Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1590 Gather Victim Network Information This object detects Gather Victim Network Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1590: Gather Victim Network Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
185957b0542cc161...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 185957b0542c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0869
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use