Description
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command esxcli network nic list will retrieve the MAC address, while esxcli network ip interface ipv4 get will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
Platforms
Sub-Techniques (2)
Threat Groups (43)
| ID | Group | Context |
|---|---|---|
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used [Ping](https://attack.mitre.org/software/S0097) and `tracert` for network discovery.(Citation... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>ipconfig</code> and <code>arp</code> to determine network configuration informat... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used the information-stealing tool Grixba to enumerate network information.(Citation: CISA Play Ran... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) used tools such as [Arp](https://attack.mitre.org/software/S0099) to pull system network informatio... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used batch scripts to enumerate network information, including information about trusts, zones,... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command after exploiting a machine with [LOWBALL](https://attack.mitre.or... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used commands such as `ipconfig` and `netstat` to gather network information on compromised... |
| G1009 | Moses Staff | [Moses Staff](https://attack.mitre.org/groups/G1009) has collected the domain name of a compromised network.(Citation: Checkpoint MosesStaff Nov 2021) |
| G0073 | APT19 | [APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address fr... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has used `nslookup` and `ipconfig` for network reconnaissance efforts. [FIN13](https://attack.mitre.org... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has executed multiple commands to enumerate network topology and settings including `ipconfig`,... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server information about the first network inter... |
| G0022 | APT3 | A keylogging tool used by [APT3](https://attack.mitre.org/groups/G0022) gathers network information from the victim, including the MAC address, IP add... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to collect the victim’s IP address and domain name.(Citation: Securelist MuddyWat... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.(Citation... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has identified the IP address of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021) |
| G0038 | Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers the Address Resolution Protocol (ARP) table from the victim.(Citation: Citizen... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the <code>ipconfig /all</code> command to gather network configuration information.(Citation: Mandi... |
| G0081 | Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper M... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors use [NBTscan](https://attack.mitre.org/software/S0590) to discover vulnerable system... |
Associated Software (229)
| ID | Name | Type | Context |
|---|---|---|---|
| S0569 | Explosive | Malware | [Explosive](https://attack.mitre.org/software/S0569) has collected the MAC address from the victim's machine.(Citation: CheckPoint Volatile Cedar Mar... |
| S0667 | Chrommme | Malware | [Chrommme](https://attack.mitre.org/software/S0667) can enumerate the IP address of a compromised host.(Citation: ESET Gelsemium June 2021) |
| S0101 | ifconfig | Tool | [ifconfig](https://attack.mitre.org/software/S0101) can be used to display adapter configuration on Unix systems, including information for TCP/IP, DN... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) collects the IP address of a compromised system.(Citation: Nicolas Falliere, Liam O Murchu, Eric Ch... |
| S0024 | Dyre | Malware | [Dyre](https://attack.mitre.org/software/S0024) has the ability to identify network settings on a compromised host.(Citation: Malwarebytes Dyreza Nove... |
| S0365 | Olympic Destroyer | Malware | [Olympic Destroyer](https://attack.mitre.org/software/S0365) uses API calls to enumerate the infected system's ARP table.(Citation: Talos Olympic Dest... |
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can retrieve the contents of the IP routing table as well as information about the Windows domain.(C... |
| S1145 | Pikabot | Malware | [Pikabot](https://attack.mitre.org/software/S1145) gathers victim network information through commands such as <code>ipconfig</code> and <code>ipconfi... |
| S0098 | T9000 | Malware | [T9000](https://attack.mitre.org/software/S0098) gathers and beacons the MAC and IP addresses during installation.(Citation: Palo Alto T9000 Feb 2016) |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can collect the IP address of a compromised host.(Citation: Unit 42 Lucifer June 2020) |
| S1022 | IceApple | Malware | The [IceApple](https://attack.mitre.org/software/S1022) [ifconfig](https://attack.mitre.org/software/S0101) module can iterate over all network interf... |
| S0657 | BLUELIGHT | Malware | [BLUELIGHT](https://attack.mitre.org/software/S0657) can collect IP information from the victim’s machine.(Citation: Volexity InkySquid BLUELIGHT Augu... |
| S0363 | Empire | Tool | [Empire](https://attack.mitre.org/software/S0363) can acquire network configuration information like DNS servers, public IP, and network proxies used ... |
| S0257 | VERMIN | Malware | [VERMIN](https://attack.mitre.org/software/S0257) gathers the local IP address.(Citation: Unit 42 VERMIN Jan 2018) |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) can enumerate network adapter information.(Citation: GitHub PoshC2) |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) can determine the public or WAN IP address for the system.(Citation: PWC KeyBoys Feb 2017) |
| S0184 | POWRUNER | Malware | [POWRUNER](https://attack.mitre.org/software/S0184) may collect network configuration data by running <code>ipconfig /all</code> on a victim.(Citation... |
| S0139 | PowerDuke | Malware | [PowerDuke](https://attack.mitre.org/software/S0139) has a command to get the victim's domain and NetBIOS name.(Citation: Volexity PowerDuke November ... |
| S1210 | Sagerunex | Malware | [Sagerunex](https://attack.mitre.org/software/S1210) will gather system information such as MAC and IP addresses.(Citation: Cisco LotusBlossom 2025) |
| S0271 | KEYMARBLE | Malware | [KEYMARBLE](https://attack.mitre.org/software/S0271) gathers the MAC address of the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018) |
References
- Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.
- Pham Duy Phuc, Max Kersten, Noël Keijzer, and Michaël Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1016 (System Network Configuration Discovery)?
T1016 is a MITRE ATT&CK technique named 'System Network Configuration Discovery'. It belongs to the Discovery tactic(s). Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several opera...
How can T1016 be detected?
Detection of T1016 (System Network Configuration Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1016?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1016?
Known threat groups using T1016 include: HEXANE, Mustang Panda, Play, BlackByte, Dragonfly, admin@338, Lotus Blossom, Moses Staff.