T1590 Google Chronicle · YARA-L

Detect Gather Victim Network Information in Google Chronicle

This detection identifies adversary reconnaissance activity targeting victim network information, including IP ranges, domain names, DNS records, network topology, and security appliance configurations. Because T1590 is a PRE-ATT&CK technique, direct detection within the victim environment is limited; however, second-order indicators are observable when adversaries deploy internal network enumeration tools post-compromise (as seen with Volt Typhoon, Indrik Spider, and HAFNIUM), attempt DNS zone transfers, execute WHOIS or DNS enumeration utilities, or run network discovery tools such as Lansweeper and Advanced IP Scanner. Detection focuses on process execution of known network reconnaissance binaries, DNS zone transfer attempts, and anomalous internal network topology queries that suggest an adversary mapping the environment for lateral movement or targeting.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Canonical reference
https://attack.mitre.org/techniques/T1590/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1590_gather_victim_network_information {
  meta:
    author = "Detection Engineering"
    description = "Detects adversary network reconnaissance activity targeting victim network information consistent with MITRE ATT&CK T1590. Identifies execution of known port/host scanning tools, DNS zone transfer enumeration, internal network discovery utilities, and domain trust enumeration via nltest. Observed in Volt Typhoon, HAFNIUM, and Indrik Spider intrusion sets."
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590"
    mitre_attack_technique_name = "Gather Victim Network Information"
    severity = "HIGH"
    confidence = "MEDIUM"
    rule_version = "1.0"
    created = "2026-04-14"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path,
        `(?i)(nmap\.exe|masscan\.exe|zmap\.exe|fping\.exe|nbtscan\.exe|unicornscan|dnsenum\.py|dnsrecon\.py|fierce\.py|sublist3r|amass\.exe|theharvester|lansweeper\.exe|netdiscover|angryip|advanced_port_scanner\.exe)`) or
      re.regex($e.target.process.command_line,
        `(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan|dnsenum|dnsrecon|fierce|sublist3r|amass|theharvester|lansweeper|netdiscover|angryip|advanced.port.scanner|axfr|zone-transfer|zone\s+transfer|\-t\s+any)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)nltest\.exe`) and
        re.regex($e.target.process.command_line, `(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)(nslookup\.exe|dig\.exe|host\.exe)`) and
        re.regex($e.target.process.command_line, `(?i)(axfr|AXFR|zone-transfer|\-t\s+any)`)
      )
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if(
        re.regex($e.target.process.command_line, `(?i)(nmap|masscan|zmap|fping|nbtscan|unicornscan)`), 90,
        if(
          re.regex($e.target.process.command_line, `(?i)(dnsrecon|dnsenum|fierce|axfr|zone.transfer)`), 85,
          if(
            re.regex($e.target.process.command_line, `(?i)(lansweeper|advanced.port.scanner|angryip|netdiscover)`), 80,
            if(
              re.regex($e.target.process.command_line, `(?i)(\/dclist|\/domain_trusts|\/trusted_domains|\/dsgetdc)`), 70, 75
            )
          )
        )
      )
    )
    $hostname = $e.principal.hostname
    $process_name = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $username = $e.principal.user.userid

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting network reconnaissance activity consistent with T1590 — Gather Victim Network Information. Uses UDM process launch events to identify known scanning tools, DNS AXFR zone transfer attempts, and domain trust enumeration commands. The match window groups events per hostname over 1 hour to support aggregation and risk score computation via outcome variables.

Data Sources

Chronicle UDM process launch events from Windows endpoints (via Sysmon or EDR forwarders)Chronicle Windows Event Log parser (EventID 4688)Chronicle Sysmon parser (EventID 1)Chronicle Linux audit process events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCHtarget.process.* UDM fieldsprincipal.process.* UDM fields

False Positives & Tuning

  • Authorized penetration testing or red team operations — add exclusion for known scanner host principal.hostname values or scanner service account principal.user.userid
  • Lansweeper, Nessus, or similar network management platforms running on dedicated scanner hosts under service accounts with predictable command-line patterns
  • System administrators using nltest for legitimate DC discovery, domain trust enumeration during AD migrations, or routine directory health checks
  • DNS operations teams running dig with AXFR against internal authoritative name servers as part of zone health monitoring or replication validation
  • Security tooling in managed SOC environments that invokes nmap or masscan as part of automated asset discovery pipelines on scheduled intervals
Download portable Sigma rule (.yml)

Other platforms for T1590

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Nmap Internal Subnet Port Scan

    Expected signal: Sysmon EventCode 1 (process create) with Image=nmap.exe, CommandLine containing the subnet range. Sysmon EventCode 3 (network connect) showing connections from nmap.exe to multiple internal IPs on specified ports. DeviceProcessEvents and DeviceNetworkEvents telemetry in MDE.

  2. Test 2DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon EventCode 1 with Image=nslookup.exe, CommandLine containing 'AXFR' and the target domain. Windows DNS debug log (if enabled) will show an AXFR request from the client IP. DeviceProcessEvents in MDE captures the command line.

  3. Test 3Domain Trust Enumeration via nltest

    Expected signal: Sysmon EventCode 1 (process create) for each nltest invocation with the respective flags in CommandLine. SecurityEvent EventID 4688 if process command line auditing is enabled via GPO. DeviceProcessEvents in MDE with full command line captured.

  4. Test 4Internal Network Discovery with Advanced IP Scanner

    Expected signal: DeviceFileEvents showing advanced_ip_scanner.exe created in C:\Temp. Sysmon EventCode 11 (file create) for the binary. Process creation event for advanced_ip_scanner.exe. Network connection events to multiple internal IPs during scan. DeviceNetworkEvents in MDE showing mass internal connections.

Last updated: 2026-04-14 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1590 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1595Active ScanningT1596Search Open Technical DatabasesT1592Gather Victim Host InformationT1591Gather Victim Org InformationT1590.001Domain PropertiesT1590.002DNST1590.005IP AddressesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.006Network Security AppliancesT1199Trusted RelationshipT1583Acquire Infrastructure

Same Tactic: Reconnaissance

Popular Detections