Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view
using Net.
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts
or /etc/hosts
) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network.[1][2]
ID | Name | Description |
---|---|---|
S0552 | AdFind |
AdFind has the ability to query Active Directory for computers.[3][4][5] |
G0016 | APT29 | |
G0022 | APT3 |
APT3 has a tool that can detect the existence of remote systems.[7][8] |
G0050 | APT32 |
APT32 has enumerated DC servers using the command |
G0087 | APT39 |
APT39 has used NBTscan and custom tools to discover remote systems.[10][11][12] |
S0099 | Arp |
Arp can be used to display a host's ARP cache, which may include address resolutions for remote systems.[13][14] |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.[15] |
S0534 | Bazar | |
S0570 | BitPaymer | |
S0521 | BloodHound |
BloodHound can enumerate and collect the properties of domain computers, including domain controllers.[18] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER typically use |
S0335 | Carbon | |
G0114 | Chimera |
Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.[21] |
S0154 | Cobalt Strike |
Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.[22][23][24] |
S0244 | Comnie |
Comnie runs the |
S0575 | Conti |
Conti has the ability to discover hosts on a target network.[25] |
S0488 | CrackMapExec |
CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.[26] |
G0009 | Deep Panda |
Deep Panda has used ping to identify other machines of interest.[27] |
S0659 | Diavol |
Diavol can use the ARP table to find remote hosts to scan.[28] |
G0035 | Dragonfly |
Dragonfly has likely obtained a list of hosts in the victim environment.[29] |
S0694 | DRATzarus |
DRATzarus can search for other machines connected to compromised host and attempt to map the network.[30] |
S0091 | Epic | |
G0053 | FIN5 |
FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.[32] |
G0037 | FIN6 |
FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[33] |
G0061 | FIN8 |
FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used |
S0696 | Flagpro |
Flagpro has been used to execute |
G0117 | Fox Kitten |
Fox Kitten has used Angry IP Scanner to detect remote systems.[37] |
G0093 | GALLIUM |
GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as |
S0698 | HermeticWizard |
HermeticWizard can find machines on the local network by gathering known local IP addresses through |
G0119 | Indrik Spider |
Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.[40] |
S0604 | Industroyer |
Industroyer can enumerate remote computers in the compromised network.[41] |
G0004 | Ke3chang |
Ke3chang has used network scanning and enumeration tools, including Ping.[42] |
S0599 | Kinsing |
Kinsing has used a script to parse files like |
S0236 | Kwampirs |
Kwampirs collects a list of available servers with the command |
G0077 | Leafminer |
Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[45] |
G0045 | menuPass |
menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command |
S0233 | MURKYTOP |
MURKYTOP has the capability to identify remote hosts on connected networks.[48] |
G0019 | Naikon |
Naikon has used a netbios scanner for remote machine identification.[49] |
S0590 | NBTscan | |
S0039 | Net |
Commands such as |
S0385 | njRAT | |
S0359 | Nltest |
Nltest may be used to enumerate remote domain controllers using options such as |
S0365 | Olympic Destroyer |
Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.[55] |
G0116 | Operation Wocao |
Operation Wocao can use the |
S0165 | OSInfo |
OSInfo performs a connection test to discover remote systems in the network[7] |
S0097 | Ping |
Ping can be used to identify remote systems within a network.[57] |
S0428 | PoetRAT | |
S0650 | QakBot |
QakBot can identify remote systems through the |
S0241 | RATANKBA |
RATANKBA runs the |
S0125 | Remsec | |
S0684 | ROADTools | |
G0106 | Rocke |
Rocke has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.[64] |
G0034 | Sandworm Team |
Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[65][66] |
S0140 | Shamoon |
Shamoon scans the C-class subnet of the IPs on the victim's interfaces.[67] |
S0063 | SHOTPUT |
SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.[68] |
G0091 | Silence |
Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.[69] |
S0692 | SILENTTRINITY |
SILENTTRINITY can enumerate and collect the properties of domain computers.[70] |
S0646 | SpicyOmelette |
SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.[71] |
S0018 | Sykipot |
Sykipot may use |
S0586 | TAINTEDSCRIBE |
The TAINTEDSCRIBE command and execution module can perform target system enumeration.[73] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used the |
S0266 | TrickBot | |
S0609 | TRITON |
TRITON’s TsLow python module pings controllers over the TriStation protocol.[76] |
G0010 | Turla |
Turla surveys a system upon check-in to discover remote systems on a local network using the |
S0452 | USBferry |
USBferry can use |
S0366 | WannaCry |
WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.[79] |
G0102 | Wizard Spider |
Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and |
S0248 | yty |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Access |
DS0029 | Network Traffic | Network Connection Creation |
DS0009 | Process | Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Monitor for processes that can be used to discover remote systems, such as ping.exe
and tracert.exe
, especially when executed in quick succession.[84]