title: Gather Victim Network Information (T1590)
id: df00tech-t1590
status: experimental
description: "This detection identifies adversary reconnaissance activity targeting victim network information, including IP ranges, domain names, DNS records, network topology, and security appliance configurations. Because T1590 is a PRE-ATT&CK technique, direct detection within the victim environment is limited; however, second-order indicators are observable when adversaries deploy internal network enumeration tools post-compromise (as seen with Volt Typhoon, Indrik Spider, and HAFNIUM), attempt DNS zone transfers, execute WHOIS or DNS enumeration utilities, or run network discovery tools such as Lansweeper and Advanced IP Scanner. Detection focuses on process execution of known network reconnaissance binaries, DNS zone transfer attempts, and anomalous internal network topology queries that suggest an adversary mapping the environment for lateral movement or targeting."
references:
  - https://attack.mitre.org/techniques/T1590/
  - https://df00tech.com/detections/T1590
author: df00tech
date: 2026/04/14
tags:
  - attack.t1590
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate network administrators running nmap or Advanced IP Scanner for asset inventory or troubleshooting
  - IT operations teams using Lansweeper or similar tools for scheduled network discovery and CMDB updates
  - DNS administrators performing authoritative zone transfers between primaries and secondaries as part of normal operations
  - Security teams running authorized vulnerability scans or penetration tests using tools like nmap or masscan
  - "nltest calls from legitimate domain join operations, group policy processing, or identity management tools"
level: medium