IPv4 Routes

Overview

Evidence: IPv4 Routes Description: Collect IPv4 Routes Category: Network Platform: Windows Short Name: ipv4 Is Parsed: Yes - Routing table parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The IPv4 routing table determines how network packets are forwarded from the local system to destination networks. It contains routes to local subnets, default gateways, and any manually configured or dynamically learned routes.

Routing table modifications can indicate network manipulation, VPN usage, or routing-based attacks.

Data Collected

Field

Description

Example

Destination

Destination network address

0.0.0.0

Mask

Network mask

0.0.0.0

Policy

Forwarding policy

Adapter

Network adapter index

Type

Route type

3 (Indirect)

Protocol

Routing protocol

3 (NETMGMT)

Age

Route age in seconds

3600

Collection Method

This collector uses Windows API to enumerate routes:

GetIpForwardTable to retrieve routing table
Parses each route entry
Extracts destination, mask, and next-hop information

Usage

Routing tables reveal network topology and potential network manipulation. Investigators use this data to identify VPN or tunnel routes, detect routing table manipulation, understand network architecture, identify static routes to suspicious networks, and detect network-based persistence or C2 infrastructure.

Known Limitations

Point-in-time snapshot
Dynamic routes change frequently
May not show IPv6 routes
Route interpretation requires networking knowledge

Notes

Pay attention to unusual static routes, routes to private IP ranges, or routes that don't match expected network topology. VPN connections often add specific routes.

PreviousINF Setup Logs NextIconcache

Last updated 47 minutes ago

Was this helpful?