MITRE

MITRE Technique [T1016] System Network Configuration Discovery

MITRE

[T1016 ] System Network Configuration Discovery โ€“ Adversaries gather network configuration details such as IP and MAC addresses, routes, and interface settings to map and understand a target environment for follow-on actions. Monitoring command usage, CLI sessions, and system tools can reveal these reconnaissance efforts. #SystemNetworkConfigurationDiscovery #NetworkRecon

Keypoints

  • Adversaries use built-in OS utilities like ipconfig/ifconfig and arp to enumerate IP and MAC addresses quickly.
  • Network device CLIs (e.g., show ip route, show ip interface) reveal interface and routing details useful for network mapping.
  • ESXi hosts can be probed with esxcli commands (network nic list, network ip interface ipv4 get) to obtain virtual host network info.
  • Monitoring command-line arguments and process creation events helps detect automated discovery and remote access tooling behavior.
  • Discovery activity often precedes lateral movement; correlate network discovery with subsequent access attempts to prioritize response.

Description:

  • Like a burglar studying a buildingโ€™s floor plan and doors before moving inside, attackers map IPs, MACs and routes to plan how to navigate and access valuable systems.
  • System Network Configuration Discovery uses native OS and device tools to list interfaces, addresses and routes. This lets adversaries determine reachable hosts, potential pivot points, and which network paths or credentials to target nextโ€”enabling targeted lateral movement and privilege escalation.

Detection:

  • Log and alert on execution of common utilities (ipconfig, ifconfig, arp, route, nbtstat) using command execution and process creation telemetry; create signatures for suspicious argument patterns.
  • Monitor CLI sessions on network devices for unexpected commands (show ip route, show ip interface) and unusual source IPs or user accounts; use network device logging (syslog/AAA) and aggregate in SIEM.
  • Capture ESXi management command usage (esxcli) in host logs and centralize vCenter/host audit logs; alert on queries like network nic list or network ip interface ipv4 get from non-admin or external sources.
  • Instrument PowerShell and WMI logging; enable Script Block Logging, Module Logging, and WMI event tracing to detect scripted or API-based discovery performed by remote tools.
  • Correlate discovery commands with subsequent lateral movement indicators (SMB sessions, RDP, remote execution) to reduce false positives and identify attack chains.
  • Watch for anomalous timing and volume of discovery commands (e.g., rapid scans across many hosts) using baselining and rate-based alerts to detect automated reconnaissance.
  • Be aware of benign administrative activity causing false positives; implement allowlists for scheduled admin scripts, require privileged sessions through jump hosts, and validate unusual activity with asset owner or change logs before escalation.

Tactics:
Discovery

Platforms:
ESXi, Linux, Network Devices, Windows, macOS

Data Sources:
Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution

Relationship Citations:
(Citation: Microsoft Moonstone Sleet 2024),(Citation: Cisco MagicRAT 2022),(Citation: FireEye APT41 Aug 2019),(Citation: Kaspersky TajMahal April 2019),(Citation: MalwareBytes WoodyRAT Aug 2022),(Citation: evolution of pirpi),(Citation: ESET Okrum July 2019),(Citation: ESET LoudMiner June 2019),(Citation: McAfee Night Dragon),(Citation: Unit42 BabyShark Feb 2019),(Citation: BlackBerry Amadey 2020),(Citation: McAfee Shamoon December 2018),(Citation: SentinelLabs Metador Sept 2022),(Citation: Malwarebytes Saint Bot April 2021),(Citation: DFIR Conti Bazar Nov 2021),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Novetta Blockbuster),(Citation: FireEye APT34 Dec 2017),(Citation: Carbon Black HotCroissant April 2020),(Citation: ESET Turla PowerShell May 2019),(Citation: CarbonBlack Conti July 2020),(Citation: Kaspersky QakBot September 2021),(Citation: Symantec Orangeworm April 2018),(Citation: Google Cloud BOLDMOVE 2023),(Citation: Accenture Dragonfish Jan 2018),(Citation: GitHub PoshC2),(Citation: 360 Machete Sep 2020),(Citation: ESET EvasivePanda 2024),(Citation: Bitdefender Sardonic Aug 2021),(Citation: Emissary Trojan Feb 2016),(Citation: Unit 42 NOKKI Sept 2018),(Citation: Secureworks GOLD KINGSWOOD September 2018),(Citation: Secureworks Karagany July 2019),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: Symantec Trojan.Hydraq Jan 2010),(Citation: TrendMicro EarthLusca 2022),(Citation: CERT-FR PYSA April 2020),(Citation: Talos GravityRAT),(Citation: Trend Micro Black Basta October 2022),(Citation: FSecure Lokibot November 2019),(Citation: DFIR_Quantum_Ransomware),(Citation: DFIR Report APT35 ProxyShell March 2022),(Citation: NCC Group APT15 Alive and Strong),(Citation: objsee mac malware 2017),(Citation: Unit 42 C0d0so0 Jan 2016),(Citation: Microsoft DUBNIUM July 2016),(Citation: Red Canary Hospital Thwarted Ryuk October 2020),(Citation: Securelist Octopus Oct 2018),(Citation: MalwareBytes LazyScripter Feb 2021),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: ESET Gelsemium June 2021),(Citation: Trend Micro MacOS Backdoor November 2020),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: CheckPoint Volatile Cedar March 2015),(Citation: ASERT Donot March 2018),(Citation: Gigamon Berserk Bear October 2021),(Citation: Trend Micro TeamTNT),(Citation: Kaspersky ShrinkLocker 2024),(Citation: Unit42 Azorult Nov 2018),(Citation: Cylance Shaheen Nov 2018),(Citation: Unit42 Xbash Sept 2018),(Citation: TrendMicro MacOS April 2018),(Citation: Citizen Lab Stealth Falcon May 2016),(Citation: Group IB APT 41 June 2021),(Citation: CheckPoint Naikon May 2020),(Citation: ClearSky Siamesekitten August 2021),(Citation: Symantec Naid June 2012),(Citation: McAfee GhostSecret),(Citation: Palo Alto Reaver Nov 2017),(Citation: Secureworks Gold Prelude Profile),(Citation: Unit 42 Bisonal July 2018),(Citation: Volexity PowerDuke November 2016),(Citation: Mandiant APT1),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: Kaspersky Cloud Atlas August 2019),(Citation: Mandiant APT42-charms),(Citation: Checkpoint IndigoZebra July 2021),(Citation: Palo Alto MoonWind March 2017),(Citation: Avira Mustang Panda January 2020),(Citation: Zscaler APT31 Covid-19 October 2020),(Citation: Sophos New Ryuk Attack October 2020),(Citation: Github PowerShell Empire),(Citation: CISA WellMess July 2020),(Citation: Symantec Buckeye),(Citation: Unit 42 Magic Hound Feb 2017),(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021),(Citation: Unit 42 Lucifer June 2020),(Citation: Securelist MuddyWater Oct 2018),(Citation: Mandiant FIN12 Oct 2021),(Citation: Cylance Dust Storm),(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023),(Citation: Securelist Dtrack),(Citation: F-Secure The Dukes),(Citation: Lunghi Iron Tiger Linux),(Citation: Zscaler Pikabot 2023),(Citation: GitHub Pupy),(Citation: AlienVault Sykipot 2011),(Citation: MalwareBytes SideCopy Dec 2021),(Citation: McAfee Gold Dragon),(Citation: Accenture MUDCARP March 2019),(Citation: ESET Turla Mosquito Jan 2018),(Citation: CyberBit Dtrack),(Citation: Symantec Troll Stealer 2024),(Citation: Debian nbtscan Nov 2019),(Citation: Zscaler Higaisa 2020),(Citation: Proofpoint Leviathan Oct 2017),(Citation: ESET Zebrocy May 2019),(Citation: Talos Cobalt Group July 2018),(Citation: Trend Micro Tick November 2019),(Citation: GovCERT Carbon May 2016),(Citation: Cybereason Bazar July 2020),(Citation: Hartrell cd00r 2002),(Citation: ESET Machete July 2019),(Citation: Forcepoint Felismus Mar 2017),(Citation: Red Canary SocGholish March 2024),(Citation: Trend Micro Cyclops Blink March 2022),(Citation: Talos Frankenstein June 2019),(Citation: Symantec Hydraq Jan 2010),(Citation: FireEye Ryuk and Trickbot January 2019),(Citation: Unit 42 DarkHydrus July 2018),(Citation: Kaspersky CactusPete Aug 2020),(Citation: Mandiant APT41),(Citation: F-Secure BlackEnergy 2014),(Citation: ThreatExpert Agent.btz),(Citation: ESET ForSSHe December 2018),(Citation: ESET Dukes October 2019),(Citation: Mandiant Suspected Turla Campaign February 2023),(Citation: Cybereason Cobalt Kitty 2017),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: FoxIT Wocao December 2019),(Citation: Mandiant Operation Ke3chang November 2014),(Citation: Talos Manjusaka 2022),(Citation: CISA SoreFang July 2016),(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021),(Citation: CISA AR18-352A Quasar RAT December 2018),(Citation: Kaspersky ShadowPad Aug 2017),(Citation: Cybereason Valak May 2020),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: Proofpoint Operation Transparent Tribe March 2016),(Citation: Talos Olympic Destroyer 2018),(Citation: Objective See Green Lambert for OSX Oct 2021),(Citation: US-CERT HOTCROISSANT February 2020),(Citation: US-CERT TA18-074A),(Citation: PWC WellMess July 2020),(Citation: FOX-IT May 2016 Mofang),(Citation: Check Point Pay2Key November 2020),(Citation: ESET GreyEnergy Oct 2018),(Citation: SentinelLabs Agent Tesla Aug 2020),(Citation: Palo Alto Comnie),(Citation: Kaspersky ToddyCat June 2022),(Citation: Proofpoint NETWIRE December 2020),(Citation: Trend Micro Trickbot Nov 2018),(Citation: NCC Group Chimera January 2021),(Citation: Medium Anchor DNS July 2020),(Citation: ESET Carbon Mar 2017),(Citation: Oligo ShadowRay Campaign MAR 2024),(Citation: Palo Alto Shamoon Nov 2016),(Citation: ESET Industroyer),(Citation: Talos Promethium June 2020),(Citation: Volexity InkySquid BLUELIGHT August 2021),(Citation: Securelist Calisto July 2018),(Citation: SecTools nbtscan June 2003),(Citation: Crowdstrike Qakbot October 2020),(Citation: IBM Ransomware Trends September 2020),(Citation: US-CERT BLINDINGCAN Aug 2020),(Citation: Malwarebytes Kimsuky June 2021),(Citation: Forcepoint Monsoon),(Citation: Group IB Ransomware September 2020),(Citation: Talos Bisonal Mar 2020),(Citation: Palo Alto OilRig May 2016),(Citation: McAfee Lazarus Nov 2020),(Citation: ESET Operation Groundbait),(Citation: RATANKBA),(Citation: Trend Micro IXESHE 2012),(Citation: CISA WellMail July 2020),(Citation: Lumen J-Magic JAN 2025),(Citation: Costa AvosLocker May 2022),(Citation: SocGholish-update),(Citation: Google Cloud APT41 2024),(Citation: Talos Kimsuky Nov 2021),(Citation: SecureWorks WannaCry Analysis),(Citation: ESET InvisiMole June 2018),(Citation: Dell TG-3390),(Citation: Checkpoint MosesStaff Nov 2021),(Citation: CISA Play Ransomware Advisory December 2023),(Citation: McAfee Oceansalt Oct 2018),(Citation: Fortinet Diavol July 2021),(Citation: ESET Kobalos Jan 2021),(Citation: Elastic Latrodectus May 2024),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: Cofense Astaroth Sept 2018),(Citation: US-CERT KEYMARBLE Aug 2018),(Citation: DFIR Phosphorus November 2021),(Citation: Unit 42 VERMIN Jan 2018),(Citation: Symantec Dragonfly),(Citation: TechNet Arp),(Citation: Lazarus RATANKBA),(Citation: CME Github September 2018),(Citation: DHS CISA AA22-055A MuddyWater February 2022),(Citation: Malwarebytes Dyreza November 2015),(Citation: SentinelOne Gootloader June 2021),(Citation: ESET ComRAT May 2020),(Citation: FBI BlackByte 2022),(Citation: FireEye FIN6 Apr 2019),(Citation: US-CERT BADCALL),(Citation: McAfee Cuba April 2021),(Citation: ESET DazzleSpy Jan 2022),(Citation: FireEye MuddyWater Mar 2018),(Citation: Cisco LotusBlossom 2025),(Citation: Proofpoint TA427 April 2024),(Citation: DigiTrust NanoCore Jan 2017),(Citation: ESET PipeMon May 2020),(Citation: ATT Sidewinder January 2021),(Citation: CrowdStrike Ryuk January 2019),(Citation: McAfee Sharpshooter December 2018),(Citation: NCSC GCHQ Small Sieve Jan 2022),(Citation: TrendMicro Taidoor),(Citation: Awake Security Avaddon),(Citation: S2 Grupo TrickBot June 2017),(Citation: FireEye APT10 Sept 2018),(Citation: Symantec Volgmer Aug 2014),(Citation: NTT Security Flagpro new December 2021),(Citation: CrowdStrike IceApple May 2022),(Citation: Bleeping Computer โ€“ Ryuk WoL),(Citation: ESET InvisiMole June 2020),(Citation: Group IB GrimAgent July 2021),(Citation: Microsoft BlackByte 2023),(Citation: Leonardo Turla Penquin May 2020),(Citation: Palo Alto DNS Requests),(Citation: Cybereason Royal December 2022),(Citation: S2W Troll Stealer 2024),(Citation: Kaspersky Adwind Feb 2016),(Citation: Malwarebytes Higaisa 2020),(Citation: Bitsight Latrodectus June 2024),(Citation: BiZone Lizar May 2021),(Citation: Kaspersky Turla),(Citation: Mandiant FIN13 Aug 2022),(Citation: Symantec Waterbug Jun 2019),(Citation: Talos Konni May 2017),(Citation: FireEye admin@338),(Citation: NGLite Trojan),(Citation: TrendMicro POWERSTATS V3 June 2019),(Citation: Lumen KVBotnet 2023),(Citation: Kaspersky Lyceum October 2021),(Citation: Microsoft NICKEL December 2021),(Citation: Cyberreason Anchor December 2019),(Citation: Symantec W32.Duqu),(Citation: Lotus Blossom Jun 2015),(Citation: Kaspersky Transparent Tribe August 2020),(Citation: Unit 42 PingPull Jun 2022),(Citation: FireEye SUNBURST Backdoor December 2020),(Citation: GitHub Sliver Ifconfig),(Citation: Microsoft PLATINUM April 2016),(Citation: Baumgartner Naikon 2015),(Citation: ESET BackdoorDiplomacy Jun 2021),(Citation: Nltest Manual),(Citation: Talent-Jump Clambling February 2020),(Citation: ESET LightNeuron May 2019),(Citation: ClearSky Lebanese Cedar Jan 2021),(Citation: Unit 42 Playbook Dec 2017),(Citation: Microsoft POLONIUM June 2022),(Citation: Github Koadic),(Citation: CheckPoint Bandook Nov 2020),(Citation: Check Point APT35 CharmPower January 2022),(Citation: Cybereason Soft Cell June 2019),(Citation: CheckPoint SpeakUp Feb 2019),(Citation: DigiTrust Agent Tesla Jan 2017),(Citation: Symantec Catchamas April 2018),(Citation: ESET Grandoreiro April 2020),(Citation: Antiy CERT Ramsay April 2020),(Citation: Securelist Darkhotel Aug 2015),(Citation: Proofpoint TA505 October 2019),(Citation: Proofpoint ZeroT Feb 2017),(Citation: Trend Micro DRBControl February 2020),(Citation: Unit 42 Kazuar May 2017),(Citation: US-CERT FALLCHILL Nov 2017),(Citation: Red Canary NETWIRE January 2020),(Citation: Check Point APT34 April 2021),(Citation: MSTIC NOBELIUM Mar 2021),(Citation: PWC KeyBoys Feb 2017),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: JPCert TSCookie March 2018),(Citation: Unit 42 QUADAGENT July 2018),(Citation: Rancor Unit42 June 2018),(Citation: Palo Alto T9000 Feb 2016),(Citation: ESET Turla Lunar toolset May 2024),(Citation: Microsoft Ransomware as a Service),(Citation: ZScaler Squirrelwaffle Sep 2021),(Citation: NCSC Cyclops Blink February 2022),(Citation: Novetta Blockbuster Loaders),(Citation: Securelist BlackEnergy Nov 2014),(Citation: Palo Alto OilRig Oct 2016),

Read More: https://attack.mitre.org/techniques/T1016