T1590.004

Network Topology

Adversaries may gather information about the victim's network topology that can be used during targeting. This includes physical and logical arrangement of external-facing and internal network environments, network devices such as gateways and routers, and routing infrastructure. Threat actors like Volt Typhoon and Salt Typhoon have conducted extensive network topology reconnaissance to identify critical infrastructure paths, upstream/downstream network segments, and inter-network connectivity before executing intrusion campaigns. Detection focuses on two surfaces: (1) network discovery tool execution on managed endpoints indicating an insider or post-compromise enumeration phase, and (2) external scanning patterns visible in perimeter logs indicating pre-compromise reconnaissance by external actors.

Microsoft Sentinel / Defender

kusto

let NetworkDiscoveryTools = dynamic([
  "nmap", "masscan", "zmap", "unicornscan",
  "netdiscover", "angry ip scanner", "advanced ip scanner",
  "lansweeper", "angry", "nbtscan", "arp-scan"
]);
let NetworkTopoCmds = dynamic([
  "tracert", "traceroute", "pathping", "tracepath",
  "route print", "netstat -r", "ip route",
  "arp -a", "arp -n", "Get-NetRoute", "Get-NetNeighbor",
  "snmpwalk", "snmpget", "snmpenum",
  "nmap -sn", "nmap --traceroute", "nmap -O",
  "show ip route", "show cdp neighbors", "show lldp"
]);
let SuspiciousNetworkPorts = dynamic([161, 162, 179, 520, 521, 646, 2049, 8291]);
// Branch 1: Endpoint-based network discovery tool execution
let EndpointDiscovery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (NetworkDiscoveryTools)
      or ProcessCommandLine has_any (NetworkTopoCmds)
      or (FileName =~ "nmap.exe" or FileName =~ "masscan.exe" or FileName =~ "zmap.exe")
| extend DetectionBranch = "EndpointDiscoveryTool"
| extend RiskIndicator = case(
    ProcessCommandLine has_any ("snmpwalk", "snmpget", "snmpenum"), "SNMP_Enumeration",
    ProcessCommandLine has_any ("nmap -O", "nmap --os-detection"), "OS_Fingerprinting",
    ProcessCommandLine has_any ("tracert", "traceroute", "pathping", "tracepath"), "Route_Tracing",
    ProcessCommandLine has_any ("nmap -sn", "netdiscover", "arp -a", "arp-scan"), "Host_Discovery",
    ProcessCommandLine has_any ("Get-NetRoute", "route print", "ip route", "netstat -r"), "Routing_Table_Enum",
    "General_Network_Discovery"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, RiskIndicator;
// Branch 2: SNMP and network protocol scanning via network events
let SNMPScanning = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SuspiciousNetworkPorts)
| where RemoteIPType == "Public" or RemoteIP !startswith "127."
| summarize TargetCount=dcount(RemoteIP), Ports=make_set(RemotePort), FirstSeen=min(Timestamp), LastSeen=max(Timestamp)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where TargetCount > 5
| extend DetectionBranch = "BroadcastProtocolScanning"
| extend RiskIndicator = "Multi_Host_Protocol_Scan"
| extend Timestamp = FirstSeen
| project Timestamp, DeviceName, AccountName="", FileName=InitiatingProcessFileName,
         ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName="",
         InitiatingProcessCommandLine="", DetectionBranch, RiskIndicator;
union EndpointDiscovery, SNMPScanning
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Network engineers running nmap or traceroute for legitimate troubleshooting or change management activities
IT asset management systems (Lansweeper, SolarWinds, Nessus) performing scheduled network discovery scans
SNMP-based monitoring tools (PRTG, Zabbix, Nagios) polling network devices on UDP/161
BGP route monitoring scripts querying routing tables for network health dashboards
Penetration testing engagements with authorized scanners operating from managed endpoints

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval IsDiscoveryTool=if(
    match(Image_lower, "(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)") OR
    match(CommandLine_lower, "(nmap|masscan|zmap|netdiscover|snmpwalk|snmpget|snmpenum|nbtscan)"),
    1, 0
  )
| eval IsRouteEnum=if(
    match(CommandLine_lower, "(tracert|traceroute|pathping|tracepath|route\s+print|netstat\s+-r|ip\s+route|get-netroute|get-netneighbor|arp\s+-a|arp\s+-n)"),
    1, 0
  )
| eval IsSNMPRecon=if(
    match(CommandLine_lower, "(snmpwalk|snmpget|snmpenum|snmpbulk|161|snmp)"),
    1, 0
  )
| eval IsOSFingerprint=if(
    match(CommandLine_lower, "(nmap\s+-o|os-detection|os-scan|os-fingerprint)"),
    1, 0
  )
| eval IsTopologyMap=if(
    match(CommandLine_lower, "(--traceroute|nmap.*-p.*-t|cdp|lldp|ospf|eigrp|bgp.*route)"),
    1, 0
  )
| eval ReconScore=IsDiscoveryTool + IsRouteEnum + IsSNMPRecon + IsOSFingerprint + IsTopologyMap
| where ReconScore > 0
| eval RiskCategory=case(
    IsSNMPRecon=1, "SNMP_Topology_Recon",
    IsOSFingerprint=1, "OS_Fingerprinting",
    IsDiscoveryTool=1 AND IsRouteEnum=1, "Combined_Network_Mapping",
    IsDiscoveryTool=1, "Network_Discovery_Tool",
    IsRouteEnum=1, "Routing_Enumeration",
    "General_Topology_Recon"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        IsDiscoveryTool, IsRouteEnum, IsSNMPRecon, IsOSFingerprint, IsTopologyMap,
        ReconScore, RiskCategory
| sort - _time

| append
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
     (DestinationPort=161 OR DestinationPort=162 OR DestinationPort=179 OR DestinationPort=520 OR DestinationPort=521)
     | stats count as ConnectionCount, dc(DestinationIp) as UniqueHosts,
             values(DestinationPort) as Ports, earliest(_time) as FirstSeen, latest(_time) as LastSeen
             by host, User, Image, CommandLine
     | where UniqueHosts > 5
     | eval ReconScore=2, RiskCategory="Broadcast_Protocol_Scanning"
     | eval IsDiscoveryTool=0, IsRouteEnum=0, IsSNMPRecon=if(mvfind(Ports,"161")>=0,1,0),
            IsOSFingerprint=0, IsTopologyMap=0
     | rename FirstSeen as _time
     | table _time, host, User, Image, CommandLine, IsDiscoveryTool, IsRouteEnum,
             IsSNMPRecon, IsOSFingerprint, IsTopologyMap, ReconScore, RiskCategory, UniqueHosts, ConnectionCount]

| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network engineers running nmap or traceroute for legitimate troubleshooting or change management activities
IT asset management systems (Lansweeper, SolarWinds, Nessus) performing scheduled network discovery scans
SNMP-based monitoring tools (PRTG, Zabbix, Nagios) polling network devices on UDP/161
BGP route monitoring scripts querying routing tables for network health dashboards
Penetration testing engagements with authorized scanners operating from managed endpoints

IBM QRadar (AQL)

sql

-- Branch 1: Endpoint process execution of network discovery tools
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '(snmpwalk|snmpget|snmpenum|snmpbulk)' THEN 'SNMP_Topology_Recon'
    WHEN LOWER("Command") MATCHES '(nmap.*-o|os-detection|os-fingerprint)' THEN 'OS_Fingerprinting'
    WHEN LOWER("Command") MATCHES '(tracert|traceroute|pathping|tracepath)' THEN 'Route_Tracing'
    WHEN LOWER("Command") MATCHES '(nmap.*-sn|netdiscover|arp.*-a|arp-scan)' THEN 'Host_Discovery'
    WHEN LOWER("Command") MATCHES '(get-netroute|route.*print|ip.*route|netstat.*-r)' THEN 'Routing_Table_Enum'
    ELSE 'General_Network_Discovery'
  END AS risk_category,
  qidname(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 233, 352)
  AND starttime > NOW() - 86400000
  AND (
    LOWER("Process Name") MATCHES '(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)'
    OR LOWER("Command") MATCHES '(nmap|masscan|zmap|tracert|traceroute|pathping|tracepath|snmpwalk|snmpget|snmpenum|get-netroute|get-netneighbor|route.*print|netstat.*-r|arp.*-a|show cdp|show lldp)'
  )
ORDER BY starttime DESC
LIMIT 1000

UNION ALL

-- Branch 2: Network flow scanning on management/routing ports
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  applicationname AS process_name,
  CONCAT('Port scan to ', LONG(COUNT(DISTINCT destinationip)), ' hosts') AS command_line,
  '' AS parent_process,
  CASE
    WHEN SUM(CASE WHEN destinationport IN (161,162) THEN 1 ELSE 0 END) > 0 THEN 'SNMP_Broadcast_Scan'
    WHEN SUM(CASE WHEN destinationport = 179 THEN 1 ELSE 0 END) > 0 THEN 'BGP_Route_Discovery'
    ELSE 'Broadcast_Protocol_Scanning'
  END AS risk_category,
  'Multi-Host Protocol Scan' AS event_name
FROM flows
WHERE
  starttime > NOW() - 86400000
  AND destinationport IN (161, 162, 179, 520, 521, 646, 2049, 8291)
GROUP BY sourceip, username, applicationname, logsourceid
HAVING COUNT(DISTINCT destinationip) > 5
ORDER BY event_time DESC

high severity medium confidence

Data Sources

QRadar SIEM Windows Security Event Log Sysmon NetFlow/IPFIX Linux Audit Logs

Required Tables

events flows

False Positives

Network monitoring infrastructure (SolarWinds NPM, PRTG, Nagios) generating high-volume SNMP polling to network devices appearing as broadcast scanning
Authorized penetration testing or red team exercises using nmap/masscan from sanctioned IP ranges
IT operations scripts that collect routing table data during automated asset inventory or change management windows
Network engineers running traceroute/pathping for legitimate latency troubleshooting investigations

Sumo Logic CSE

sql

// Branch 1: Endpoint process execution detection
(_sourceCategory="windows/sysmon" OR _sourceCategory="endpoint/process")
| where EventID = 1 OR event_type = "process"
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*\\*" as img_path, img_name nodrop
| eval img_lower = toLowerCase(img_name)
| eval cmd_lower = toLowerCase(cmd_line)
| eval is_discovery_tool = if(
    img_lower matches /^(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)(|\.exe)$/,
    1, 0)
| eval is_route_enum = if(
    cmd_lower matches /(tracert|traceroute|pathping|tracepath|route\s+print|netstat\s+-r|ip\s+route|get-netroute|get-netneighbor|arp\s+-a|arp\s+-n)/,
    1, 0)
| eval is_snmp_recon = if(
    cmd_lower matches /(snmpwalk|snmpget|snmpenum|snmpbulk|snmptrap)/,
    1, 0)
| eval is_os_fingerprint = if(
    cmd_lower matches /(nmap\s+-o|os-detection|os-fingerprint|os-scan)/,
    1, 0)
| eval is_topo_map = if(
    cmd_lower matches /(--traceroute|cdp\s+neighbors|lldp|show\s+ip\s+route|ospf|eigrp)/,
    1, 0)
| eval recon_score = is_discovery_tool + is_route_enum + is_snmp_recon + is_os_fingerprint + is_topo_map
| where recon_score > 0
| eval risk_category = if(is_snmp_recon = 1, "SNMP_Topology_Recon",
    if(is_os_fingerprint = 1, "OS_Fingerprinting",
    if(is_discovery_tool = 1 and is_route_enum = 1, "Combined_Network_Mapping",
    if(is_discovery_tool = 1, "Network_Discovery_Tool",
    if(is_route_enum = 1, "Routing_Enumeration", "General_Topology_Recon")))))
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, risk_category, recon_score
| sort by _messageTime desc

// Branch 2: Network connection scanning (run as separate query and correlate)
// (_sourceCategory="windows/sysmon" OR _sourceCategory="network/flow")
// | where EventID = 3 OR event_type = "network"
// | where DestinationPort in (161, 162, 179, 520, 521, 646, 2049, 8291)
// | where !((DestinationIp startswith "127.") or DestinationIp = "::1")
// | count_distinct(DestinationIp) as unique_hosts, values(DestinationPort) as ports by Computer, User, Image, CommandLine
// | where unique_hosts > 5
// | eval risk_category = "Broadcast_Protocol_Scanning"

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Sysmon via Windows Event Forwarding Sumo Logic Installed Collector on Windows endpoints

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/process _sourceCategory=network/flow

False Positives

Security tools like Nessus, Qualys agents, or CrowdStrike Spotlight running periodic network discovery from designated scanner accounts
Network operations center staff using nmap or traceroute for routine connectivity diagnostics and path analysis
Automated CMDB/asset discovery jobs (ServiceNow Discovery, Lansweeper agents) that enumerate network routes and ARP tables on a schedule
DevOps pipeline scripts that call 'ip route' or 'netstat -r' during container or VM provisioning workflows

Google Chronicle / SecOps

yaral

rule T1590_004_network_topology_recon {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects network topology reconnaissance including discovery tool execution and broadcast protocol scanning (MITRE ATT&CK T1590.004)"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.004"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    // Branch 1: Network discovery tool execution
    $e1.metadata.event_type = "PROCESS_LAUNCH"
    $e1.principal.hostname = $hostname

    (
      // Known discovery tool binaries
      re.regex($e1.target.process.file.full_path, `(?i)(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)(|\.exe)$`)
      or
      // Route/topology enumeration commands
      re.regex($e1.target.process.command_line, `(?i)(tracert|traceroute|pathping|tracepath|route\s+print|netstat\s+-r|ip\s+route|get-netroute|get-netneighbor|arp\s+-[an]|snmpwalk|snmpget|snmpenum|show\s+cdp|show\s+lldp|show\s+ip\s+route|nmap\s+--traceroute|nmap\s+-O)`)
    )

  match:
    $hostname over 24h

  outcome:
    $risk_indicator = if(
      re.regex($e1.target.process.command_line, `(?i)(snmpwalk|snmpget|snmpenum)`), "SNMP_Enumeration",
      if(re.regex($e1.target.process.command_line, `(?i)(nmap\s+-[Oo]|os.detection|os.fingerprint)`), "OS_Fingerprinting",
      if(re.regex($e1.target.process.command_line, `(?i)(tracert|traceroute|pathping|tracepath)`), "Route_Tracing",
      if(re.regex($e1.target.process.command_line, `(?i)(nmap.*-sn|netdiscover|arp\s+-a|arp-scan)`), "Host_Discovery",
      if(re.regex($e1.target.process.command_line, `(?i)(get-netroute|route.*print|ip\s+route|netstat.*-r)`), "Routing_Table_Enum",
      "General_Network_Discovery")))))
    $process_name = $e1.target.process.file.full_path
    $command_line = $e1.target.process.command_line
    $user = $e1.principal.user.userid
    $count = count($e1.metadata.id)

  condition:
    $e1
}

rule T1590_004_broadcast_protocol_scanning {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects multi-host scanning on SNMP/BGP/RIP/routing protocol ports indicating network topology mapping via broadcast protocol enumeration (MITRE ATT&CK T1590.004)"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.004"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.principal.hostname = $src_host
    $e2.target.port in (161, 162, 179, 520, 521, 646, 2049, 8291)
    not re.regex($e2.target.ip, `^(127\.|::1|169\.254\.)`)
    $e2.target.ip = $dst_ip

  match:
    $src_host over 30m

  outcome:
    $unique_targets = count_distinct($dst_ip)
    $scanned_ports = array_distinct($e2.target.port)
    $initiating_process = $e2.principal.process.file.full_path
    $risk_category = "Broadcast_Protocol_Scanning"

  condition:
    #e2 > 5 and $unique_targets > 5
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle forwarder Network telemetry via Chronicle ingestion

Required Tables

UDM PROCESS_LAUNCH events UDM NETWORK_CONNECTION events

False Positives

Authorized network monitoring platforms (SolarWinds, PRTG) with Chronicle-forwarded telemetry generating high-volume SNMP connections to managed devices
IT administrators performing authorized network audits using nmap or traceroute from workstations without dedicated scanner accounts
Security operations running scheduled vulnerability assessments that invoke network discovery tools from approved scanner infrastructure
Automation frameworks collecting network topology data for CMDB updates triggering route enumeration commands

CrowdStrike LogScale (CQL)

cql

// Branch 1: Network discovery tool process execution
#event_simpleName=ProcessRollup2
| FileName = /(?i)^(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)(|\.exe)$/
  OR CommandLine = /(?i)(nmap|masscan|zmap|tracert|traceroute|pathping|tracepath|snmpwalk|snmpget|snmpenum|get-netroute|get-netneighbor|route\s+print|netstat\s+-r|ip\s+route|arp\s+-[an]|show cdp|show lldp|nmap\s+--traceroute|nmap\s+-O|nmap\s+-sn|arp-scan|netdiscover)/
| eval risk_indicator =
    case(
      CommandLine = /(?i)(snmpwalk|snmpget|snmpenum|snmpbulk)/, "SNMP_Enumeration",
      CommandLine = /(?i)(nmap\s+-[Oo]|os-detection|os-fingerprint)/, "OS_Fingerprinting",
      CommandLine = /(?i)(tracert|traceroute|pathping|tracepath)/, "Route_Tracing",
      CommandLine = /(?i)(nmap.*-sn|netdiscover|arp\s+-a|arp-scan)/, "Host_Discovery",
      CommandLine = /(?i)(get-netroute|route.*print|ip\s+route|netstat.*-r)/, "Routing_Table_Enum",
      true, "General_Network_Discovery"
    )
| table
    [@timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, ParentCommandLine, risk_indicator]
| sort @timestamp desc

// Branch 2: Multi-host scanning on network management protocol ports
// Run as separate query:
// #event_simpleName=NetworkConnectIP4
// | RemotePort in [161, 162, 179, 520, 521, 646, 2049, 8291]
// | groupBy(
//     [ComputerName, UserName, ImageFileName, CommandLine],
//     function=[
//       count(RemoteIP, distinct=true, as=UniqueHosts),
//       collect(RemotePort, as=ScannedPorts),
//       min(@timestamp, as=FirstSeen),
//       max(@timestamp, as=LastSeen)
//     ]
//   )
// | UniqueHosts > 5
// | eval risk_category = "Broadcast_Protocol_Scanning"
// | table [FirstSeen, ComputerName, UserName, ImageFileName, CommandLine, UniqueHosts, ScannedPorts, risk_category]

high severity medium confidence

Data Sources

CrowdStrike Falcon Platform Falcon Insight XDR CrowdStrike LogScale (Humio)

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

CrowdStrike Spotlight or Exposure Management scanning modules generating network connection events that resemble multi-host port scanning
IT administrators using built-in Windows commands (tracert, route print, arp -a) for routine network diagnostics — especially from helpdesk or NOC workstations
Authorized third-party network discovery agents (Lansweeper, Nmap-based CMDB tools) installed on managed servers running scheduled inventory scans
Red team or authorized penetration testing engagements using Falcon-monitored endpoints as pivot points during assessed campaigns

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain Properties T1590.002DNS T1590.003Network Trust Dependencies T1590.005IP Addresses T1590.006Network Security Appliances

Network Topology

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections