T1590.004 IBM QRadar · QRadar

Detect Network Topology in IBM QRadar

Adversaries may gather information about the victim's network topology that can be used during targeting. This includes physical and logical arrangement of external-facing and internal network environments, network devices such as gateways and routers, and routing infrastructure. Threat actors like Volt Typhoon and Salt Typhoon have conducted extensive network topology reconnaissance to identify critical infrastructure paths, upstream/downstream network segments, and inter-network connectivity before executing intrusion campaigns. Detection focuses on two surfaces: (1) network discovery tool execution on managed endpoints indicating an insider or post-compromise enumeration phase, and (2) external scanning patterns visible in perimeter logs indicating pre-compromise reconnaissance by external actors.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.004 Network Topology
Canonical reference
https://attack.mitre.org/techniques/T1590/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Branch 1: Endpoint process execution of network discovery tools
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip" AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  CASE
    WHEN LOWER("Command") MATCHES '(snmpwalk|snmpget|snmpenum|snmpbulk)' THEN 'SNMP_Topology_Recon'
    WHEN LOWER("Command") MATCHES '(nmap.*-o|os-detection|os-fingerprint)' THEN 'OS_Fingerprinting'
    WHEN LOWER("Command") MATCHES '(tracert|traceroute|pathping|tracepath)' THEN 'Route_Tracing'
    WHEN LOWER("Command") MATCHES '(nmap.*-sn|netdiscover|arp.*-a|arp-scan)' THEN 'Host_Discovery'
    WHEN LOWER("Command") MATCHES '(get-netroute|route.*print|ip.*route|netstat.*-r)' THEN 'Routing_Table_Enum'
    ELSE 'General_Network_Discovery'
  END AS risk_category,
  qidname(qid) AS event_name
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 233, 352)
  AND starttime > NOW() - 86400000
  AND (
    LOWER("Process Name") MATCHES '(nmap|masscan|zmap|netdiscover|nbtscan|arp-scan|unicornscan|lansweeper)'
    OR LOWER("Command") MATCHES '(nmap|masscan|zmap|tracert|traceroute|pathping|tracepath|snmpwalk|snmpget|snmpenum|get-netroute|get-netneighbor|route.*print|netstat.*-r|arp.*-a|show cdp|show lldp)'
  )
ORDER BY starttime DESC
LIMIT 1000

UNION ALL

-- Branch 2: Network flow scanning on management/routing ports
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  applicationname AS process_name,
  CONCAT('Port scan to ', LONG(COUNT(DISTINCT destinationip)), ' hosts') AS command_line,
  '' AS parent_process,
  CASE
    WHEN SUM(CASE WHEN destinationport IN (161,162) THEN 1 ELSE 0 END) > 0 THEN 'SNMP_Broadcast_Scan'
    WHEN SUM(CASE WHEN destinationport = 179 THEN 1 ELSE 0 END) > 0 THEN 'BGP_Route_Discovery'
    ELSE 'Broadcast_Protocol_Scanning'
  END AS risk_category,
  'Multi-Host Protocol Scan' AS event_name
FROM flows
WHERE
  starttime > NOW() - 86400000
  AND destinationport IN (161, 162, 179, 520, 521, 646, 2049, 8291)
GROUP BY sourceip, username, applicationname, logsourceid
HAVING COUNT(DISTINCT destinationip) > 5
ORDER BY event_time DESC
high severity medium confidence

Detects network topology reconnaissance using two AQL branches against QRadar event and flow data. Branch 1 queries process execution events from Windows/Linux log sources for known network discovery tool names and commands. Branch 2 queries flow data for hosts scanning multiple destinations on SNMP, BGP, RIP, and other routing/management protocol ports. LOGSOURCETYPEID 12=WinVista/7, 13=WinServer, 233=Sysmon, 352=Linux OS.

Data Sources

QRadar SIEMWindows Security Event LogSysmonNetFlow/IPFIXLinux Audit Logs

Required Tables

eventsflows

False Positives & Tuning

  • Network monitoring infrastructure (SolarWinds NPM, PRTG, Nagios) generating high-volume SNMP polling to network devices appearing as broadcast scanning
  • Authorized penetration testing or red team exercises using nmap/masscan from sanctioned IP ranges
  • IT operations scripts that collect routing table data during automated asset inventory or change management windows
  • Network engineers running traceroute/pathping for legitimate latency troubleshooting investigations
Download portable Sigma rule (.yml)

Other platforms for T1590.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Network Topology Discovery via Traceroute and Route Table Enumeration

    Expected signal: Sysmon Event ID 1: Process Create events for route.exe, tracert.exe, arp.exe, netstat.exe with their respective command lines. Sysmon Event ID 11: File Create event for route_output.txt in %TEMP%. Sysmon Event ID 3: Network connections from tracert.exe to 8.8.8.8 and intermediate hops. Security Event ID 4688 (if process auditing enabled) for each spawned process.

  2. Test 2SNMP Network Device Topology Enumeration

    Expected signal: Auditd/Sysmon-for-Linux process execution event for snmpwalk with command line containing OIDs .1.3.6.1.2.1.4.22 (ARP table) and .1.3.6.1.2.1.4.24 (routing table). Network connection event (UDP/161) to target host. File creation event for /tmp/snmp_arp_output.txt. Syslog entries from snmpd if local daemon receives the query.

  3. Test 3PowerShell Network Neighbor and Route Enumeration

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Get-NetRoute', 'Get-NetNeighbor', 'Get-NetIPAddress', 'ConvertTo-Json'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Sysmon Event ID 11: File Create event for network_topology.json in %TEMP%.

  4. Test 4Nmap Host Discovery and OS Detection Scan

    Expected signal: Sysmon Event ID 1: Process Create for nmap.exe with CommandLine containing '-sn', '-O', '--osscan-guess', '-oX'. Multiple Sysmon Event ID 3 network connection events for ICMP and TCP probes across the /24 range. Sysmon Event ID 11: File Create events for nmap_discovery.xml and nmap_osdetect.xml in %TEMP%.

  5. Test 5BGP and Routing Protocol Reconnaissance via Netstat

    Expected signal: Auditd/Sysmon-for-Linux process execution events for netstat, ss, ip with command lines containing routing protocol ports (179 BGP, 520 RIP, 646 LDP). File creation events for /tmp/routing_protocols.txt, /tmp/routing_table_full.txt, /tmp/arp_cache.txt. If Sysmon for Linux installed: Event ID 1 (Process Create) for each command.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1590.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.002DNST1590.003Network Trust DependenciesT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.002DNST1590.005IP AddressesT1595Active ScanningT1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1046Network Service DiscoveryT1018Remote System DiscoveryT1049System Network Connections DiscoveryT1016System Network Configuration DiscoveryT1133External Remote ServicesT1584Compromise Infrastructure

Same Tactic: Reconnaissance

Popular Detections