Description
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, net view using Net, or, on ESXi servers, esxcli network diag ping.
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
Platforms
Threat Groups (40)
| ID | Group | Context |
|---|---|---|
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) has used tools such as Nmap and MASSCAN for remote service discovery.(Citation: CISA GRU29155 2024... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) uses scripts to enumerate IP ranges on the victim network. [menuPass](https://attack.mitre.org/group... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Angry IP Scanner to detect remote systems.(Citation: CISA AA20-259A Iran-Based Actor Sept... |
| G1030 | Agrius | [Agrius](https://attack.mitre.org/groups/G1030) used the tool [NBTscan](https://attack.mitre.org/software/S0590) to scan for remote, accessible hosts ... |
| G0019 | Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used a netbios scanner for remote machine identification.(Citation: Bitdefender Naikon April 2021) |
| G0009 | Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) has used ping to identify other machines of interest.(Citation: Alperovitch 2014) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has used MiPing to discover active systems in the victim network.(Citation: apt41_dcsocytec_dec2022) |
| G0053 | FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has used the open source tool Essential NetTools to map the network and build a list of targets.(Citatio... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used multiple methods, including [Ping](https://attack.mitre.org/software/S0097), to enumera... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about computers l... |
| G1040 | Play | [Play](https://attack.mitre.org/groups/G1040) has used tools such as [AdFind](https://attack.mitre.org/software/S0552), [Nltest](https://attack.mitre.... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has queried Active Directory for computers using [AdFind](https://attack.mitre.org/software/S05... |
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) uses software such as Advanced IP Scanner and MASSCAN to identify remote hosts within victim networks.(... |
| G0004 | Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used network scanning and enumeration tools, including [Ping](https://attack.mitre.org/software/... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has used `net view` to enumerate domain machines.(Citation: Kaspersky Lyceum October 2021) |
| G1054 | MirrorFace | [MirrorFace](https://attack.mitre.org/groups/G1054) has used [Ping](https://attack.mitre.org/software/S0097) for system discovery.(Citation: JPCERT Mi... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used the <code>net view</code> command.(Citation: Nccgroup Emissary Panda May 2018) |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has used PDQ Inventory to get an inventory of the endpoints on the network.(Citation: Broadcom M... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used `ping %REMOTE_HOST%` for post exploit discovery.(Citation: Kaspersky ToddyCat Check Logs Oc... |
Associated Software (53)
| ID | Name | Type | Context |
|---|---|---|---|
| S0233 | MURKYTOP | Malware | [MURKYTOP](https://attack.mitre.org/software/S0233) has the capability to identify remote hosts on connected networks.(Citation: FireEye Periscope Mar... |
| S0586 | TAINTEDSCRIBE | Malware | The [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) command and execution module can perform target system enumeration.(Citation: CISA MAR-10... |
| S0684 | ROADTools | Tool | [ROADTools](https://attack.mitre.org/software/S0684) can enumerate Azure AD systems and devices.(Citation: Roadtools) |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) can use <code>net view</code> to discover remote systems.(Citation: Crowdstrike Indrik November 2... |
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can identify remote systems through the <code>net view</code> command.(Citation: Crowdstrike Qakbot ... |
| S0452 | USBferry | Malware | [USBferry](https://attack.mitre.org/software/S0452) can use <code>net view</code> to gather information about remote systems.(Citation: TrendMicro Tro... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can enumerate remote systems using <code> Net View</code>.(Citation: Cybereason Bazar July 2020) |
| S1081 | BADHATCH | Malware | [BADHATCH](https://attack.mitre.org/software/S1081) can use a PowerShell object such as, `System.Net.NetworkInformation.Ping` to ping a computer.(Cita... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can broadcasts NetBIOS Name Service (NBNC) messages to search for servers connected to compromised... |
| S0039 | Net | Tool | Commands such as <code>net view</code> can be used in [Net](https://attack.mitre.org/software/S0039) to gather information about available remote syst... |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) can use LDAP queries to connect to AD and iterate over connected workstations.(Citation: Check ... |
| S9020 | LODEINFO | Malware | [LODEINFO](https://attack.mitre.org/software/S9020) can run `net view` and `net view /domain` for network discovery.(Citation: ESET MirrorFace DEC 202... |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) uses the <code>net view</code> command for discovery.(Citation: ASERT Donot March 2018) |
| S0385 | njRAT | Malware | [njRAT](https://attack.mitre.org/software/S0385) can identify remote hosts on connected networks.(Citation: Fidelis njRAT June 2013) |
| S0604 | Industroyer | Malware | [Industroyer](https://attack.mitre.org/software/S0604) can enumerate remote computers in the compromised network.(Citation: ESET Industroyer) |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can ping or traceroute a remote host.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| S1198 | Gomir | Malware | [Gomir](https://attack.mitre.org/software/S1198) probes arbitrary network endpoints for TCP connectivity.(Citation: Symantec Troll Stealer 2024) |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can discover active IP addresses, along with the machine name, within a targeted network.(Cita... |
| S0428 | PoetRAT | Malware | [PoetRAT](https://attack.mitre.org/software/S0428) used Nmap for remote system discovery.(Citation: Talos PoetRAT April 2020) |
| S1212 | RansomHub | Malware | [RansomHub](https://attack.mitre.org/software/S1212) can enumerate all accessible machines from the infected system.(Citation: Group-IB RansomHub FEB ... |
References
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
Frequently Asked Questions
What is T1018 (Remote System Discovery)?
T1018 is a MITRE ATT&CK technique named 'Remote System Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality...
How can T1018 be detected?
Detection of T1018 (Remote System Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1018?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1018?
Known threat groups using T1018 include: Ember Bear, menuPass, Fox Kitten, Agrius, Naikon, Deep Panda, Earth Lusca, APT41.