get routing table

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: get routing table
    namespace: host-interaction/network/routing-table
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: instruction
      dynamic: call
    att&ck:
      - Discovery::System Network Configuration Discovery [T1016]
    references:
      - https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getipforwardtable
      - https://learn.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-getipforwardtable2
      - https://github.com/T04R/collection/blob/main/evasion/03.Local-admin/EPP-comms/netblk-printroute/implant.cpp
    examples:
      - b1133d7e5599beefe992a127f6e9704176a13b7e86b4db45c3b61cf25a60d414:0x140001000
  features:
    - or:
      - api: iphlpapi.GetIpForwardTable
      - api: iphlpapi.GetIpForwardTable2
last edited: 2025-09-09 19:21:48