title: Network Topology (T1590.004)
id: df00tech-t1590-004
status: experimental
description: "Adversaries may gather information about the victim's network topology that can be used during targeting. This includes physical and logical arrangement of external-facing and internal network environments, network devices such as gateways and routers, and routing infrastructure. Threat actors like Volt Typhoon and Salt Typhoon have conducted extensive network topology reconnaissance to identify critical infrastructure paths, upstream/downstream network segments, and inter-network connectivity before executing intrusion campaigns. Detection focuses on two surfaces: (1) network discovery tool execution on managed endpoints indicating an insider or post-compromise enumeration phase, and (2) external scanning patterns visible in perimeter logs indicating pre-compromise reconnaissance by external actors."
references:
  - https://attack.mitre.org/techniques/T1590/004/
  - https://df00tech.com/detections/T1590.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1590.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Network engineers running nmap or traceroute for legitimate troubleshooting or change management activities
  - "IT asset management systems (Lansweeper, SolarWinds, Nessus) performing scheduled network discovery scans"
  - "SNMP-based monitoring tools (PRTG, Zabbix, Nagios) polling network devices on UDP/161"
  - BGP route monitoring scripts querying routing tables for network health dashboards
  - Penetration testing engagements with authorized scanners operating from managed endpoints
level: medium