MITRE

MITRE Technique [T1018] Remote System Discovery

MITRE

[T1018 ] Remote System Discovery – Adversaries enumerate other systems on a network by IP, hostname, ARP cache, hosts files, or network device commands to plan lateral movement and target infrastructure. Monitoring command execution, process activity, and network logs helps detect this behavior early. #RemoteSystemDiscovery #NetworkDiscovery

Keypoints

  • Adversaries list systems by IP or hostname to map targets for lateral movement.
  • Common tools include ping, tracert, net view, esxcli, and network device CLI commands.
  • Hosts files and ARP cache entries provide passive discovery without active scanning.
  • Remote access tools may use APIs or WMI/PowerShell to gather discovery data stealthily.
  • Monitor process creation, command arguments, network connections, and file access for indicators.

Description:

  • Think of Remote System Discovery like drawing a map of an unfamiliar city by listening for street names and peeking through windows; attackers build a map of reachable systems to navigate later.
  • Attackers use active commands (ping, net view, esxcli) or passive sources (hosts files, ARP cache, network device outputs) to identify machines and infrastructure. This enables prioritized lateral movement, credential targeting, and planning of follow-on actions, making early detection critical.

Detection:

  • Log and alert on command-line activity for utilities like ping, tracert, net, esxcli, and tracert. Capture full command arguments to spot mass or scripted scans.
  • Monitor process creation events for rapid or repeated launches of discovery tools; correlate sequences that indicate automated scanning.
  • Collect and analyze WMI and PowerShell logs for discovery queries, especially remote system enumeration or calls to network APIs.
  • Inspect network device CLI history and configuration logs for commands such as show cdp neighbors or show arp. Centralize logs from switches and routers for correlation.
  • Track reads to hosts files and ARP cache queries at the OS level; anomalous or repeated access can indicate passive reconnaissance.
  • Use network flow and connection logs to detect sequential connection attempts across many IPs or ports; distinguish legitimate admin activity by user, time, and originating host.
  • Deploy endpoint detection rules that combine process, file access, and network indicators to reduce false positives; tune alerts for known admin tools and maintenance windows.

Tactics:
Discovery

Platforms:
ESXi, Linux, Network Devices, Windows, macOS

Data Sources:
Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Process: Process Creation

Relationship Citations:
(Citation: Cybereason Bumblebee August 2022),(Citation: DFIR Conti Bazar Nov 2021),(Citation: CISA Scattered Spider Advisory November 2023),(Citation: ESET Hermetic Wizard March 2022),(Citation: Kaspersky QakBot September 2021),(Citation: Symantec Orangeworm April 2018),(Citation: Symantec Daggerfly 2023),(Citation: CrowdStrike Grim Spider May 2019),(Citation: ClearSky Lazarus Aug 2020),(Citation: Secureworks GOLD KINGSWOOD September 2018),(Citation: Crowdstrike Indrik November 2018),(Citation: Palo Alto CVE-2015-3113 July 2015),(Citation: TrendMicro Tropic Trooper May 2020),(Citation: TrendMicro EarthLusca 2022),(Citation: Trend Micro Black Basta October 2022),(Citation: Symantec Chafer February 2018),(Citation: NCC Group APT15 Alive and Strong),(Citation: Red Canary Hospital Thwarted Ryuk October 2020),(Citation: Kaspersky ProjectSauron Technical Analysis),(Citation: apt41_dcsocytec_dec2022),(Citation: Arctic Wolf Akira 2023),(Citation: FireEye Clandestine Fox),(Citation: PWC Cloud Hopper Technical Annex April 2017),(Citation: ASERT Donot March 2018),(Citation: CISA AA20-259A Iran-Based Actor September 2020),(Citation: Gigamon Berserk Bear October 2021),(Citation: FireEye APT39 Jan 2019),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: Microsoft Volt Typhoon May 2023),(Citation: Symantec Buckeye),(Citation: CrowdStrike Wizard Spider October 2020),(Citation: Mandiant FIN12 Oct 2021),(Citation: Aqua Kinsing April 2020),(Citation: AlienVault Sykipot 2011),(Citation: Debian nbtscan Nov 2019),(Citation: Symantec Troll Stealer 2024),(Citation: FireEye Shamoon Nov 2016),(Citation: Nccgroup Emissary Panda May 2018),(Citation: GovCERT Carbon May 2016),(Citation: Cybereason Bazar July 2020),(Citation: Symantec Bilbug 2022),(Citation: Secureworks BRONZE SILHOUETTE May 2023),(Citation: FireEye Ryuk and Trickbot January 2019),(Citation: DFIR Ryuk’s Return October 2020),(Citation: Cybereason Cobalt Kitty 2017),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: FoxIT Wocao December 2019),(Citation: FireEye Periscope March 2018),(Citation: Bitdefender FIN8 July 2021),(Citation: Alperovitch 2014),(Citation: Talos Olympic Destroyer 2018),(Citation: US-CERT TA18-074A),(Citation: Mandiant FIN5 GrrCON Oct 2016),(Citation: Group IB Silence Sept 2018),(Citation: Picus BlackByte 2022),(Citation: FireEye Know Your Enemy FIN8 Aug 2016),(Citation: Microsoft BlackCat Jun 2022),(Citation: Talos PoetRAT April 2020),(Citation: NCC Group Chimera January 2021),(Citation: ESET Industroyer),(Citation: SecTools nbtscan June 2003),(Citation: Talos Cobalt Strike September 2020),(Citation: Crowdstrike Qakbot October 2020),(Citation: Secureworks BRONZE BUTLER Oct 2017),(Citation: CISA GRU29155 2024),(Citation: RATANKBA),(Citation: Symantec Leafminer July 2018),(Citation: Check Point Black Basta October 2022),(Citation: Symantec WastedLocker June 2020),(Citation: Palo Alto ARP),(Citation: Google Cloud APT41 2024),(Citation: SecureWorks WannaCry Analysis),(Citation: Fidelis njRAT June 2013),(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020),(Citation: Fortinet Diavol July 2021),(Citation: Talos Rocke August 2018),(Citation: Cybereason OperationCuckooBees May 2022),(Citation: FireEye APT10 April 2017),(Citation: DFIR Phosphorus November 2021),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: Unit42 Agrius 2023),(Citation: TechNet Arp),(Citation: CME Github September 2018),(Citation: TechNet Ping),(Citation: ESET ComRAT May 2020),(Citation: FBI BlackByte 2022),(Citation: FireEye FIN6 Apr 2019),(Citation: Savill 1999),(Citation: Charles McLellan March 2016),(Citation: Kaspersky ToddyCat Check Logs October 2023),(Citation: Dragos Crashoverride 2018),(Citation: NTT Security Flagpro new December 2021),(Citation: Kaspersky APT Trends Q1 2020),(Citation: Microsoft Deep Dive Solorigate January 2021),(Citation: Roadtools),(Citation: Group-IB RansomHub FEB 2025),(Citation: Kaspersky Turla),(Citation: Kaspersky Lyceum October 2021),(Citation: Cyberreason Anchor December 2019),(Citation: Trend Micro Ransomware Spotlight Play July 2023),(Citation: BitDefender Chafer May 2020),(Citation: Nltest Manual),(Citation: FireEye KEGTAP SINGLEMALT October 2020),(Citation: CrowdStrike BloodHound April 2018),(Citation: CISA Leviathan 2024),(Citation: FireEye FIN6 April 2016),(Citation: Cybereason Soft Cell June 2019),(Citation: cobaltstrike manual),(Citation: ESET Telebots Dec 2016),(Citation: Rapid7 HAFNIUM Mar 2021),(Citation: BitDefender BADHATCH Mar 2021),(Citation: Bitdefender Naikon April 2021),

Read More: https://attack.mitre.org/techniques/T1018

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint