Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1590: Gather Victim Network Information

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[1][2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).

EnterpriseT1590TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This technique matters because adversaries can use publicly available or elicited network information—domains, DNS, IP ranges, topology, trust dependencies, and security appliance clues—to make later targeting more precise. For leaders, the key issue is not whether this activity happens inside the network; much of it occurs before compromise and may be visible only through external exposure reviews, threat intelligence, or reconnaissance monitoring.

Executive priority

Treat this as an attack-surface and resilience question. Ask whether the organization knows what network details are exposed through WHOIS, DNS, passive DNS, public technical databases, websites, and third-party relationships. Priority should go to reducing unnecessary disclosure, validating external-facing inventory, and ensuring SOC/IR teams can connect reconnaissance findings to later risks such as initial access through trusted relationships or targeting of exposed infrastructure.

Technical view

T1590 is a reconnaissance technique on the PRE platform. ATT&CK does not provide official detection text, but the related detection strategy DET0869 indicates detection content exists for this behavior. SOC and detection teams should validate visibility into externally observable network data and any internal signals that suggest information gathering, including active scanning, phishing for information, and searches of public technical data sources when observable. Sub-techniques show the practical scope: domain properties, DNS, network trust dependencies, topology, IP addresses, and network security appliances.

Likely telemetry

  • External attack surface inventory and asset ownership records
  • DNS records, passive DNS findings, and registrar/WHOIS data
  • Public IP range allocations and internet-facing service inventory
  • Logs or reports from reconnaissance monitoring and external scanning detection
  • Phishing-for-information reports and security awareness intake

Detection direction

  • Validate what DET0869 covers in the local environment and map it to the T1590 sub-techniques rather than treating reconnaissance as a single alert type.
  • Compare public DNS, WHOIS, passive DNS, and IP range data against approved disclosure and asset inventory to find unnecessary exposure.
  • Tune detections to distinguish routine research, partner activity, vulnerability management, and legitimate scanning from suspicious reconnaissance patterns.
  • Correlate reconnaissance indicators with later activity involving active scanning, searches of public websites/domains, resource acquisition, infrastructure compromise, or trusted relationship abuse where evidence exists.
  • Account for the main blind spot: much of this behavior occurs off-network using public data sources, so absence of internal logs is not evidence that the activity did not occur.

Mitigation priorities

  • Apply pre-compromise mitigation by reducing unnecessary public exposure of network, DNS, registrar, topology, and trust-dependency information.
  • Maintain an accurate external-facing asset inventory, including domains, subdomains, IP ranges, mail-related records, and third-party service indicators exposed through DNS.
  • Review what business, technical, and security appliance details are published in websites, records, procurement materials, and partner documentation.
  • Use regular external exposure assessments to support vulnerability prioritization and compliance evidence for attack-surface management.
  • Ensure incident response playbooks consider reconnaissance findings as early context for later targeting decisions.
Analyst notes and limits

The relationship set is useful because it shows this parent technique decomposes into six concrete sub-techniques and is used by named groups including Indrik Spider, HAFNIUM, and Volt Typhoon. Those relationships support prioritizing coverage, but they do not by themselves prove current targeting of any specific organization.

ATT&CK provides no official detection text for this object, and the platform is PRE, meaning much of the behavior may occur before compromise and outside telemetry controlled by the defender. Local evidence from external exposure reviews, asset inventories, DNS/WHOIS records, partner data, and reconnaissance monitoring is required to assess real coverage and risk.

Official MITRE ATT&CK definition

Gather Victim Network Information

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).[1][2][3] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1590.001 Domain Properties Sub-technique Domain Properties subtechnique of this object.
Enterprise T1590.002 DNS Sub-technique DNS subtechnique of this object.
Enterprise T1590.005 IP Addresses Sub-technique IP Addresses subtechnique of this object.
Enterprise T1590.003 Network Trust Dependencies Sub-technique Network Trust Dependencies subtechnique of this object.
Enterprise T1590.004 Network Topology Sub-technique Network Topology subtechnique of this object.
Enterprise T1590.006 Network Security Appliances Sub-technique Network Security Appliances subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Group Enterprise

G0125: HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1590.001: Domain Properties Enterprise uses · Group G1017: Volt Typhoon Enterprise subtechnique of · Technique T1590.002: DNS Enterprise subtechnique of · Technique T1590.005: IP Addresses Enterprise uses · Group G0119: Indrik Spider Enterprise uses · Group G0125: HAFNIUM Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1590.003: Network Trust Dependencies Enterprise subtechnique of · Technique T1590.004: Network Topology Enterprise detects · Detection Strategy DET0869: Detection of Gather Victim Network Information Enterprise subtechnique of · Technique T1590.006: Network Security Appliances Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3fa32dcd1350cb63...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3fa32dcd1350…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    WHOIS

    NTT America. (n.d.). Whois Lookup. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    DNS Dumpster

    Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.

    Open source URL
  3. [3]
    Circl Passive DNS

    CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.

    Open source URL
  4. [4]
    mitre-attack T1590
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use