1. Home
  2. Detection Strategies
  3. Detection Strategy for Remote System Enumeration Behavior

Detection Strategy for Remote System Enumeration Behavior

Technique Detected:  Remote System Discovery | T1018

ID: DET0574
Domains: Enterprise
Analytics: AN1583, AN1584, AN1585, AN1586, AN1587
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1583

Execution of network enumeration utilities (e.g., net.exe, ping.exe, tracert.exe) in short succession, often chained with lateral movement tools or system enumeration commands.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
TimeWindow Define bursty execution patterns of enumeration commands (e.g., <30s)
CommandLinePattern Tunable per org’s scripting/IT tools (e.g., exclude SCCM, PsExec)
ParentProcess Flag suspicious process ancestry (e.g., Word.exe spawning net.exe)

AN1584

Use of bash scripts or interactive shells to issue sequential ping, arp, or traceroute commands to map remote hosts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE execve
Network Connection Creation (DC0082) linux:syslog network
Mutable Elements
Field Description
TargetIPRange Tune for sensitive internal segments or known lateral targets
ShellContext Distinguish user-interactive enumeration vs. cronjob or baseline tooling

AN1585

Execution of built-in or AppleScript-based system enumeration via arp, netstat, ping, and discovery of /etc/hosts contents.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process
File Access (DC0055) macos:osquery file_events
Mutable Elements
Field Description
ExecutionUser Limit detection to suspicious users or automation contexts
CommandSignature Adapt for expected enumeration tooling used in IT

AN1586

ESXi shell or SSH access issuing esxcli network diag ping or viewing routing tables to identify connected hosts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd None
Mutable Elements
Field Description
ESXCommandPattern Match specific diag/debug commands abused for recon
RemoteUserShell Detect unauthorized shell use or user context (e.g., root over SSH)

AN1587

Execution of discovery commands like show cdp neighbors, show arp, and other interface-level introspection on Cisco or Juniper devices.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog syslog facility LOCAL7 or trap messages
Mutable Elements
Field Description
CommandList Device-specific recon commands to monitor based on make/model
PrivLevel Trigger detection for privilege escalation prior to recon commands