T1590 IBM QRadar · QRadar

Detect Gather Victim Network Information in IBM QRadar

This detection identifies adversary reconnaissance activity targeting victim network information, including IP ranges, domain names, DNS records, network topology, and security appliance configurations. Because T1590 is a PRE-ATT&CK technique, direct detection within the victim environment is limited; however, second-order indicators are observable when adversaries deploy internal network enumeration tools post-compromise (as seen with Volt Typhoon, Indrik Spider, and HAFNIUM), attempt DNS zone transfers, execute WHOIS or DNS enumeration utilities, or run network discovery tools such as Lansweeper and Advanced IP Scanner. Detection focuses on process execution of known network reconnaissance binaries, DNS zone transfer attempts, and anomalous internal network topology queries that suggest an adversary mapping the environment for lateral movement or targeting.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Canonical reference
https://attack.mitre.org/techniques/T1590/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  "Parent Process Name" AS ParentProcess,
  CASE
    WHEN LOWER("Command") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*' THEN 'PortHostScanning'
    WHEN LOWER("Command") MATCHES '.*dnsrecon.*|.*dnsenum.*|.*fierce.*|.*axfr.*|.*zone.transfer.*|.*zone-transfer.*' THEN 'DNSEnumeration'
    WHEN LOWER("Command") MATCHES '.*lansweeper.*|.*advanced.port.scanner.*|.*angryip.*|.*netdiscover.*|.*advanced_port_scanner.*' THEN 'NetworkDiscoveryTool'
    WHEN LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*' THEN 'DomainTrustEnumeration'
    ELSE 'KnownReconBinary'
  END AS ReconCategory,
  CASE
    WHEN LOWER("Command") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*' THEN 90
    WHEN LOWER("Command") MATCHES '.*dnsrecon.*|.*dnsenum.*|.*fierce.*|.*axfr.*|.*zone.transfer.*' THEN 85
    WHEN LOWER("Command") MATCHES '.*lansweeper.*|.*advanced.port.scanner.*|.*angryip.*|.*netdiscover.*' THEN 80
    WHEN LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*' THEN 70
    ELSE 75
  END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon', 'Linux OS')
  AND (
    LOWER("Process Name") MATCHES '.*nmap.*|.*masscan.*|.*zmap.*|.*fping.*|.*nbtscan.*|.*unicornscan.*|.*dnsenum.*|.*dnsrecon.*|.*fierce.*|.*lansweeper.*|.*netdiscover.*|.*amass.*|.*sublist3r.*|.*theharvester.*|.*angryip.*'
    OR LOWER("Command") MATCHES '.*axfr.*|.*zone.transfer.*|.*zone-transfer.*|.*/dclist.*|.*/domain_trusts.*|.*/dsgetdc.*|.*/trusted_domains.*|.*-t any.*'
    OR (
      LOWER("Process Name") MATCHES '.*nltest.*'
      AND LOWER("Command") MATCHES '.*/dclist.*|.*/domain_trusts.*|.*/trusted_domains.*|.*/dsgetdc.*'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY SuspicionScore DESC, starttime DESC
high severity medium confidence

Detects execution of known network reconnaissance utilities and DNS zone transfer attempts consistent with T1590. Queries process creation events from Windows Security Event Log and Sysmon sources, categorising findings into port/host scanning, DNS enumeration, network discovery tool usage, and domain trust enumeration. Suspicion scoring mirrors the KQL/SPL baseline for consistent cross-platform triage.

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with process command line auditing enabled)Microsoft Sysmon (EventID 1)Linux OS auditd process execution eventsQRadar DSM for Windows and Sysmon

Required Tables

events

False Positives & Tuning

  • Authorized penetration testing or red team engagements — correlate with scheduled maintenance windows and source IP allowlists in QRadar reference sets
  • IT asset inventory tools such as Lansweeper or PDQ Inventory running under service accounts on scheduled scan intervals
  • Network administrators executing nltest commands for routine Active Directory health checks, domain controller discovery, or trust relationship validation
  • Vulnerability management infrastructure where nmap is invoked as a subprocess by scanning platforms (Tenable, Qualys, Rapid7)
  • DNS administrators running dig with AXFR for zone replication health verification between authoritative servers
Download portable Sigma rule (.yml)

Other platforms for T1590

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Nmap Internal Subnet Port Scan

    Expected signal: Sysmon EventCode 1 (process create) with Image=nmap.exe, CommandLine containing the subnet range. Sysmon EventCode 3 (network connect) showing connections from nmap.exe to multiple internal IPs on specified ports. DeviceProcessEvents and DeviceNetworkEvents telemetry in MDE.

  2. Test 2DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon EventCode 1 with Image=nslookup.exe, CommandLine containing 'AXFR' and the target domain. Windows DNS debug log (if enabled) will show an AXFR request from the client IP. DeviceProcessEvents in MDE captures the command line.

  3. Test 3Domain Trust Enumeration via nltest

    Expected signal: Sysmon EventCode 1 (process create) for each nltest invocation with the respective flags in CommandLine. SecurityEvent EventID 4688 if process command line auditing is enabled via GPO. DeviceProcessEvents in MDE with full command line captured.

  4. Test 4Internal Network Discovery with Advanced IP Scanner

    Expected signal: DeviceFileEvents showing advanced_ip_scanner.exe created in C:\Temp. Sysmon EventCode 11 (file create) for the binary. Process creation event for advanced_ip_scanner.exe. Network connection events to multiple internal IPs during scan. DeviceNetworkEvents in MDE showing mass internal connections.

Last updated: 2026-04-14 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1590 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1595Active ScanningT1596Search Open Technical DatabasesT1592Gather Victim Host InformationT1591Gather Victim Org InformationT1590.001Domain PropertiesT1590.002DNST1590.005IP AddressesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.006Network Security AppliancesT1199Trusted RelationshipT1583Acquire Infrastructure

Same Tactic: Reconnaissance

Popular Detections