Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1590.004: Network Topology

Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

EnterpriseT1590.004Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Network Topology is pre-compromise reconnaissance: an adversary tries to understand how an organization’s external-facing and internal networks are arranged, including gateways, routers, and other infrastructure. The business significance is that topology knowledge can make later targeting more efficient, including follow-on reconnaissance, operational resource setup, or attempts against external remote services. For leaders, this is less about one alert and more about whether the organization knows what network detail is publicly exposed and can prove it is reducing unnecessary exposure before an incident begins.

Executive priority

Treat this as an attack-surface and resilience issue. Security leaders should ask whether public websites, DNS-related data, technical databases, and other accessible sources reveal enough topology detail to help an adversary plan access paths. Priority should go to maintaining an accurate external asset inventory, limiting unnecessary disclosure, and validating that reconnaissance indicators can be reviewed during incident response. The relationship to groups and campaigns in ATT&CK shows this behavior is relevant across espionage, financially motivated, telecommunications, and critical infrastructure contexts, but local risk depends on the organization’s sector, exposed services, and available evidence.

Technical view

This is a PRE-platform reconnaissance sub-technique under Gather Victim Network Information. MITRE does not provide official detection text, so SOC and detection teams should validate coverage through the related detection strategy DET0819 and local telemetry rather than assuming alerting exists. Practical validation should focus on whether defenders can identify unusual interest in public-facing network information, correlate scanning or information-gathering activity with exposed topology data, and support IR with a current map of externally visible infrastructure. Because the technique may use active scanning, phishing for information, victim-owned websites, open technical databases, and open websites/domains, detection should combine external exposure review with monitoring of inbound probing, web access patterns, DNS/domain exposure, and phishing reports.

Likely telemetry

  • External-facing asset inventory and exposure records for domains, IP ranges, gateways, routers, and remote services
  • Web server and application access logs for victim-owned websites that may disclose infrastructure or topology details
  • DNS, domain registration, and passive/open-source DNS exposure data, including sources comparable to DNS Dumpster
  • Network perimeter logs showing scanning or probing against external-facing infrastructure
  • Email security logs and user reports related to phishing for information

Detection direction

  • Validate what DET0819 covers in the local environment, since the ATT&CK object itself provides no official detection procedure.
  • Look for correlation rather than a single signature: external scanning, repeated access to infrastructure-disclosing pages, phishing-for-information attempts, and interest in remote services may be more meaningful together.
  • Tune carefully for false positives from legitimate search engines, researchers, partners, auditors, and approved security testing.
  • Review public and semi-public data sources for topology leakage; absence of internal alerts does not mean the information is not exposed.
  • Ensure SOC and IR teams can pivot from a suspicious reconnaissance event to an authoritative inventory of exposed network devices, domains, IP ranges, and remote services.

Mitigation priorities

  • Apply the related Pre-compromise mitigation concept by reducing information that helps adversaries identify and exploit weaknesses during reconnaissance.
  • Limit unnecessary publication of topology, infrastructure diagrams, device details, remote access paths, and network naming conventions on public websites or accessible documents.
  • Maintain a current external attack-surface inventory and periodically compare it against what is visible through open websites, DNS-related sources, and technical databases.
  • Prioritize remediation or exposure reduction for external remote services and infrastructure details that could support targeting.
  • Include topology exposure review in compliance evidence, incident readiness exercises, and vulnerability prioritization processes where external-facing infrastructure is in scope.
Analyst notes and limits

This technique matters because topology information can turn generic reconnaissance into a more targeted plan. The supplied relationships show use by C0062, MuddyWater, FIN13, Volt Typhoon, and Salt Typhoon, and a mitigation relationship to M1056 Pre-compromise. Those relationships support prioritizing this behavior in threat-informed defense, but they do not by themselves prove current activity against any specific organization.

MITRE provides no official detection text for this object, and the platform is PRE, so many useful signals may come from external exposure management, public-source review, perimeter telemetry, and phishing reporting rather than endpoint detections. Local environment evidence is required to determine what topology information is exposed, whether collection attempts are suspicious, and which controls are effective.

Official MITRE ATT&CK definition

Network Topology

Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1590 Gather Victim Network Information This object subtechnique of Gather Victim Network Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1045: Salt Typhoon

Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).[1][2]

Group Enterprise

G0069: MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G1016: FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[1][2]

Group Enterprise

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Campaign Enterprise

C0062: Anthropic AI-orchestrated Campaign

The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0819: Detection of Network Topology Enterprise uses · Group G1045: Salt Typhoon Enterprise uses · Group G0069: MuddyWater Enterprise uses · Campaign C0062: Anthropic AI-orchestrated Campaign Enterprise subtechnique of · Technique T1590: Gather Victim Network Information Enterprise uses · Group G1016: FIN13 Enterprise uses · Group G1017: Volt Typhoon Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
62275c571c494667...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 62275c571c49…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    DNS Dumpster

    Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1590.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use