Technique on mitre.org

T1018: Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.

Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack pt_application_firewall: PT-CR-638: Web_Searching_Non_Existent_Artifacts: A failed attempt to get a service artifact oracle_database: PT-CR-283: Oracle_Listener_Instance_Guessing: A potential attempt to guess an Oracle DBMS instance pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software microsoft_mecm: PT-CR-1855: MECM_Discovery_Via_LDAP: Performing an LDAP query to search for information about MECM clients on the network microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients mitre_attck_discovery: PT-CR-1081: Domain_Dump_Tools_Via_LDAP: Information is uploaded from a domain controller mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-321: Domain_Controllers_Discovery: An attempt to retrieve a list of domain controllers is detected mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump mitre_attck_discovery: PT-CR-2551: NetView_Recon: Attempt to obtain the list of available computers in the current domain. On the attacker's host, this is usually done by loading the browcli.dll library by an active process, followed by connections to many different hosts on behalf of the "anonymous logon" account. For example, such activity is typical for BOF NetView for Cobalt Strike. mitre_attck_discovery: PT-CR-76: Computer_Object_Ldap_Request: Dump of objects of the "computer" type from Active Directory freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain freeipa: PT-CR-2146: FreeIPA_Recon_Commands: Commands typically used for reconnaissance were executed in the FreeIPA domain apache_cassandra_database: PT-CR-2090: Apache_Cassandra_Structure_Discovery: An SQL command was executed. This may indicate a reconnaissance attack in the internal structure of the Apache Cassandra database. active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed a suspicious LDAP request that may indicate reconnaissance in the domain hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP Hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: `Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" \| select -expand ComputerName`.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for files (such as `/etc/hosts`) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts. For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for newly executed processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP Hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: `Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" \| select -expand ComputerName`.
DS0022	File: File Access	Monitor for files (such as `/etc/hosts`) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts. For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.