Detect Network Topology in Google Chronicle
Adversaries may gather information about the victim's network topology that can be used during targeting. This includes physical and logical arrangement of external-facing and internal network environments, network devices such as gateways and routers, and routing infrastructure. Threat actors like Volt Typhoon and Salt Typhoon have conducted extensive network topology reconnaissance to identify critical infrastructure paths, upstream/downstream network segments, and inter-network connectivity before executing intrusion campaigns. Detection focuses on two surfaces: (1) network discovery tool execution on managed endpoints indicating an insider or post-compromise enumeration phase, and (2) external scanning patterns visible in perimeter logs indicating pre-compromise reconnaissance by external actors.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1590 Gather Victim Network Information
- Sub-technique
- T1590.004 Network Topology
- Canonical reference
- https://attack.mitre.org/techniques/T1590/004/
YARA-L Detection Query
rule T1590_004_network_topology_recon {
meta:
author = "Argus Detection Engineering"
description = "Detects network topology reconnaissance including discovery tool execution and broadcast protocol scanning (MITRE ATT&CK T1590.004)"
mitre_attack_tactic = "Reconnaissance"
mitre_attack_technique = "T1590.004"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
created = "2026-04-13"
events:
// Branch 1: Network discovery tool execution
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.hostname = $hostname
(
// Known discovery tool binaries
re.regex($e1.target.process.file.full_path, `(?i)(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)(|\.exe)$`)
or
// Route/topology enumeration commands
re.regex($e1.target.process.command_line, `(?i)(tracert|traceroute|pathping|tracepath|route\s+print|netstat\s+-r|ip\s+route|get-netroute|get-netneighbor|arp\s+-[an]|snmpwalk|snmpget|snmpenum|show\s+cdp|show\s+lldp|show\s+ip\s+route|nmap\s+--traceroute|nmap\s+-O)`)
)
match:
$hostname over 24h
outcome:
$risk_indicator = if(
re.regex($e1.target.process.command_line, `(?i)(snmpwalk|snmpget|snmpenum)`), "SNMP_Enumeration",
if(re.regex($e1.target.process.command_line, `(?i)(nmap\s+-[Oo]|os.detection|os.fingerprint)`), "OS_Fingerprinting",
if(re.regex($e1.target.process.command_line, `(?i)(tracert|traceroute|pathping|tracepath)`), "Route_Tracing",
if(re.regex($e1.target.process.command_line, `(?i)(nmap.*-sn|netdiscover|arp\s+-a|arp-scan)`), "Host_Discovery",
if(re.regex($e1.target.process.command_line, `(?i)(get-netroute|route.*print|ip\s+route|netstat.*-r)`), "Routing_Table_Enum",
"General_Network_Discovery")))))
$process_name = $e1.target.process.file.full_path
$command_line = $e1.target.process.command_line
$user = $e1.principal.user.userid
$count = count($e1.metadata.id)
condition:
$e1
}
rule T1590_004_broadcast_protocol_scanning {
meta:
author = "Argus Detection Engineering"
description = "Detects multi-host scanning on SNMP/BGP/RIP/routing protocol ports indicating network topology mapping via broadcast protocol enumeration (MITRE ATT&CK T1590.004)"
mitre_attack_tactic = "Reconnaissance"
mitre_attack_technique = "T1590.004"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.0"
events:
$e2.metadata.event_type = "NETWORK_CONNECTION"
$e2.principal.hostname = $src_host
$e2.target.port in (161, 162, 179, 520, 521, 646, 2049, 8291)
not re.regex($e2.target.ip, `^(127\.|::1|169\.254\.)`)
$e2.target.ip = $dst_ip
match:
$src_host over 30m
outcome:
$unique_targets = count_distinct($dst_ip)
$scanned_ports = array_distinct($e2.target.port)
$initiating_process = $e2.principal.process.file.full_path
$risk_category = "Broadcast_Protocol_Scanning"
condition:
#e2 > 5 and $unique_targets > 5
}Two Chronicle YARA-L 2.0 rules detecting network topology reconnaissance. Rule 1 matches process launch events containing known network discovery tool names or topology enumeration command patterns, classifying them by risk indicator type. Rule 2 detects broadcast protocol scanning by correlating network connection events to SNMP/BGP/RIP ports across more than 5 unique destination IPs within a 30-minute window, both mapped to MITRE T1590.004.
Data Sources
Required Tables
False Positives & Tuning
- Authorized network monitoring platforms (SolarWinds, PRTG) with Chronicle-forwarded telemetry generating high-volume SNMP connections to managed devices
- IT administrators performing authorized network audits using nmap or traceroute from workstations without dedicated scanner accounts
- Security operations running scheduled vulnerability assessments that invoke network discovery tools from approved scanner infrastructure
- Automation frameworks collecting network topology data for CMDB updates triggering route enumeration commands
Other platforms for T1590.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Network Topology Discovery via Traceroute and Route Table Enumeration
Expected signal: Sysmon Event ID 1: Process Create events for route.exe, tracert.exe, arp.exe, netstat.exe with their respective command lines. Sysmon Event ID 11: File Create event for route_output.txt in %TEMP%. Sysmon Event ID 3: Network connections from tracert.exe to 8.8.8.8 and intermediate hops. Security Event ID 4688 (if process auditing enabled) for each spawned process.
- Test 2SNMP Network Device Topology Enumeration
Expected signal: Auditd/Sysmon-for-Linux process execution event for snmpwalk with command line containing OIDs .1.3.6.1.2.1.4.22 (ARP table) and .1.3.6.1.2.1.4.24 (routing table). Network connection event (UDP/161) to target host. File creation event for /tmp/snmp_arp_output.txt. Syslog entries from snmpd if local daemon receives the query.
- Test 3PowerShell Network Neighbor and Route Enumeration
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-NetRoute', 'Get-NetNeighbor', 'Get-NetIPAddress', 'ConvertTo-Json'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create event for network_topology.json in %TEMP%.
- Test 4Nmap Host Discovery and OS Detection Scan
Expected signal: Sysmon Event ID 1: Process Create for nmap.exe with CommandLine containing '-sn', '-O', '--osscan-guess', '-oX'. Multiple Sysmon Event ID 3 network connection events for ICMP and TCP probes across the /24 range. Sysmon Event ID 11: File Create events for nmap_discovery.xml and nmap_osdetect.xml in %TEMP%.
- Test 5BGP and Routing Protocol Reconnaissance via Netstat
Expected signal: Auditd/Sysmon-for-Linux process execution events for netstat, ss, ip with command lines containing routing protocol ports (179 BGP, 520 RIP, 646 LDP). File creation events for /tmp/routing_protocols.txt, /tmp/routing_table_full.txt, /tmp/arp_cache.txt. If Sysmon for Linux installed: Event ID 1 (Process Create) for each command.
References (9)
- https://attack.mitre.org/techniques/T1590/004/
- https://dnsdumpster.com/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://blog.talosintelligence.com/salt-typhoon-analysis/
- https://www.mandiant.com/resources/blog/fin13-a-cybercriminal-threat-actor-focused-on-mexico
- https://nmap.org/book/man-output.html
- https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-netroute
- https://learn.microsoft.com/en-us/azure/sentinel/connect-sysmon
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1590.004/T1590.004.md
Unlock Pro Content
Get the full detection package for T1590.004 including response playbook, investigation guide, and atomic red team tests.