Technique on mitre.org

T1018: Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.

Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

pt_nad: PT-CR-738: NAD_Sharphound: PT NAD detected network scanning using the SharpHound or BloodHound software web_servers_abnormal_activity: PT-CR-638: Web_Searching_Non_Existent_Artifacts: A failed attempt to get a service artifact hacking_tools: PT-CR-599: Subrule_Sharphound_Server_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-596: Sharphound_Client_Side: Possible use of the SharpHound or BloodHound software is detected hacking_tools: PT-CR-1790: MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack hacking_tools: PT-CR-597: Sharphound_Server_Side: Possible network scanning with the SharpHound or BloodHound software is detected hacking_tools: PT-CR-598: Subrule_Sharphound_Client_Side: Network access to ports 389 and 445 is detected unix_mitre_attck_discovery: PT-CR-1789: Unix_MsLDAPDump_Usage: Attackers can download information from AD and use it to progress the attack apache_cassandra_database: PT-CR-2090: Apache_Cassandra_Structure_Discovery: An SQL command was executed. This may indicate a reconnaissance attack in the internal structure of the Apache Cassandra database. oracle_database: PT-CR-283: Oracle_Listener_Instance_Guessing: A potential attempt to guess an Oracle DBMS instance mitre_attck_discovery: PT-CR-2551: NetView_Recon: Attempt to obtain the list of available computers in the current domain. On the attacker's host, this is usually done by loading the browcli.dll library by an active process, followed by connections to many different hosts on behalf of the "anonymous logon" account. For example, such activity is typical for BOF NetView for Cobalt Strike. mitre_attck_discovery: PT-CR-76: Computer_Object_Ldap_Request: Dump of objects of the "computer" type from Active Directory mitre_attck_discovery: PT-CR-321: Domain_Controllers_Discovery: An attempt to retrieve a list of domain controllers is detected mitre_attck_discovery: PT-CR-1081: Domain_Dump_Tools_Via_LDAP: Information is uploaded from a domain controller mitre_attck_discovery: PT-CR-1378: PowerView_Recon: Running scripts from the PowerView toolkit used to receive information about domains, domain and local groups, and users is detected mitre_attck_discovery: PT-CR-1083: Ldapdomaindump_Queries: Active Directory information is dumped using ldapdomaindump active_directory_attacks: PT-CR-1341: ActiveDirectory_Data_Collection: An LDAP query to collect domain information was executed using the AD Explorer or SharpHound utility. Attackers use these utilities to collect information about domain computers, users, groups, and so on. active_directory_attacks: PT-CR-827: Active_Directory_Snapshot: Creating a snapshot of the Active Directory structure. This may indicate that intelligence is being conducted in the Active Directory structure. An attacker can use the data obtained to form an attack vector and increase privileges active_directory_attacks: PT-CR-2550: LDAP_Discovery: A user executed suspicious LDAP requests that may indicate reconnaissance in the domain microsoft_mecm: PT-CR-1855: MECM_Discovery_Via_LDAP: Performing an LDAP query to search for information about MECM clients on the network microsoft_mecm: PT-CR-1860: MECM_SharpSCCM: Using SharpSCCM to search for sensitive information about MECM clients freeipa: PT-CR-2146: FreeIPA_Recon_Commands: Commands typically used for reconnaissance were executed in the FreeIPA domain freeipa: PT-CR-2144: FreeIPA_Suspicious_LDAP_Request: LDAP request to a sensitive attribute in the FreeIPA domain microsoft_hyperv: PT-CR-2872: HyperV_VM_Enumeration: Enumerating virtual machines in Hyper-V to determine their names and configurations

Detection

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP Hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: `Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" \| select -expand ComputerName`.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

ID	DS0022	Data source and component	File: File Access	Description	Monitor for files (such as `/etc/hosts`) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts. For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.

ID	Data source and component	Description
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. Windows PowerShell log Event ID 4104 (PS script execution) can be used to capture PowerShell script block contents which may contain commands used as a precursor to RDP Hijacking. For example, the following command in a PowerShell script block may be used to enumerate the systems on a network which have RDP access: `Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" \| select -expand ComputerName`.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
DS0022	File: File Access	Monitor for files (such as `/etc/hosts`) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For Windows, Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on access attempts of local files that store host data, including C:\Windows\System32\Drivers\etc\hosts. For Linux, auditing frameworks such as the audit daemon (auditd) can be used to alert on access attempts of local files that store host data, including /etc/hosts.
DS0009	Process: Process Creation	Monitor for newly executed processes that can be used to discover remote systems, such as `ping.exe` and `tracert.exe`, especially when executed in quick succession.