S0103: route
Analyst context for executives and security teams
route is a legitimate administration utility that can view or modify a local system’s IP routing table. In ATT&CK, its defensive significance is not that the tool is malicious, but that routing-table discovery can help an adversary understand network paths after gaining access. Because the object has no ATT&CK-provided detection text or platform scope, organizations should treat it as a coverage-validation item rather than a standalone alert condition.
Executive priority
Ask whether SOC and incident response teams can prove when routing information is queried or changed on important systems, especially where network segmentation, healthcare operations, or sensitive business environments matter. The relationship context shows use by named threat groups and a link to System Network Configuration Discovery, so this should inform detection engineering and response playbooks, but not be treated as evidence of compromise by itself.
Technical view
Validate monitoring around execution or equivalent use of route and around changes to local IP routing tables. Tie detections to the ATT&CK relationship with System Network Configuration Discovery, and prioritize context: unusual user, unusual host, suspicious parent process, remote session, sequence with other discovery commands, or routing changes near intrusion-response timelines. Because ATT&CK provides no official detection guidance and no platform list for this software object, local baselining is required.
Likely telemetry
- Process execution records for route or functionally equivalent routing-table utilities where available
- Command-line arguments showing route-table queries or modifications
- Operating system or endpoint logs that record network configuration changes
- EDR telemetry linking parent process, user, host, and session context
- Change-management or administrative activity records for authorized routing changes
Detection direction
- Do not alert on route usage alone without context; it is a legitimate administrative utility.
- Baseline expected administrative use and tune for unusual accounts, hosts, timing, parent processes, or remote execution context.
- Differentiate read-only discovery from routing-table modification where telemetry permits.
- Correlate with other discovery behavior associated with System Network Configuration Discovery rather than treating this object in isolation.
- Review visibility gaps: many environments collect process starts but not command-line detail or routing-table change evidence.
Mitigation priorities
- Ensure endpoint and system logging can capture relevant process execution and network configuration changes on systems where this utility or equivalent capability exists.
- Restrict routing-table modification privileges to authorized administrators through standard access control and change-management practices.
- Use incident response procedures to preserve command history, process telemetry, and configuration state when route activity is observed in suspicious timelines.
- Document approved administrative patterns so SOC teams can separate normal operations from investigation-worthy behavior.
- Use the relationship to System Network Configuration Discovery to validate broader discovery-detection coverage, not just one command name.
Analyst notes and limits
ATT&CK identifies route as software that can find or change information in the local IP routing table. Relationship context states that Lazarus Group and Orangeworm use this object, and that the object is associated with System Network Configuration Discovery. These relationships increase analytic relevance, but they do not make any single route event attributable to those groups.
The supplied ATT&CK object does not specify platforms, tactics, aliases, labels, or official detection guidance. Any environment-specific platform assumptions, detection logic, severity, or exposure assessment must come from local telemetry, asset inventory, and administrative baselines.
route
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | route can be used to discover routing configuration information. |
Groups, software, and campaigns
G0071: Orangeworm
Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.[1] Reverse engineering of Kwampirs, directly associated with Orangeworm activity, indicates significant functional and development overlaps with Shamoon.[2]
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b766248547be… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TechNet Route
Microsoft. (n.d.). Route. Retrieved April 17, 2016.
Open source URL -
[2]
mitre-attack S0103Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.