Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route
, show ip interface
).[1][2]
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
ID | Name | Description |
---|---|---|
S1028 | Action RAT |
Action RAT has the ability to collect the MAC address of an infected host.[3] |
S0552 | AdFind |
AdFind can extract subnet information from Active Directory.[4][5][6] |
G0018 | admin@338 |
admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: |
S0331 | Agent Tesla |
Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.[8][9] |
S0092 | Agent.btz |
Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[10] |
S1025 | Amadey | |
S0504 | Anchor |
Anchor can determine the public IP and location of a compromised host.[12] |
S0622 | AppleSeed | |
G0006 | APT1 |
APT1 used the |
G0073 | APT19 |
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[15] |
G0022 | APT3 |
A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[16][17] |
G0050 | APT32 |
APT32 used the |
G0096 | APT41 | |
S0456 | Aria-body |
Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.[21] |
S0099 | Arp |
Arp can be used to display ARP configuration information on the host.[22] |
S0373 | Astaroth |
Astaroth collects the external IP address from the system. [23] |
S0640 | Avaddon |
Avaddon can collect the external IP address of the victim.[24] |
S0473 | Avenger |
Avenger can identify the domain of the compromised host.[25] |
S0344 | Azorult |
Azorult can collect host IP information from the victim’s machine.[26] |
S0414 | BabyShark | |
S0093 | Backdoor.Oldrea |
Backdoor.Oldrea collects information about the Internet adapter configuration.[28][29] |
S0245 | BADCALL | |
S0642 | BADFLICK | |
S0234 | Bandook |
Bandook has a command to get the public IP address from a system.[32] |
S0534 | Bazar |
Bazar can collect the IP address and NetBIOS name of an infected machine.[33] |
S0268 | Bisonal |
Bisonal can execute |
S0089 | BlackEnergy |
BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[37][38] |
S0520 | BLINDINGCAN |
BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[39] |
S0657 | BLUELIGHT |
BLUELIGHT can collect IP information from the victim’s machine.[40] |
S0486 | Bonadan |
Bonadan can find the external IP address of the infected host.[41] |
S0651 | BoxCaon |
BoxCaon can collect the victim's MAC address by using the |
S0252 | Brave Prince |
Brave Prince gathers network configuration information as well as the ARP cache.[43] |
C0015 | C0015 |
During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.[44] |
C0017 | C0017 |
During C0017, APT41 used |
C0018 | C0018 |
During C0018, the threat actors ran |
S0274 | Calisto |
Calisto runs the |
S0335 | Carbon |
Carbon can collect the IP address of the victims and other computers on the network using the commands: |
S0261 | Catchamas |
Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine.[50] |
S0572 | Caterpillar WebShell |
Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[51] |
S0674 | CharmPower |
CharmPower has the ability to use |
G0114 | Chimera |
Chimera has used ipconfig, Ping, and |
S0667 | Chrommme |
Chrommme can enumerate the IP address of a compromised host.[54] |
S0660 | Clambling |
Clambling can enumerate the IP address of a compromised machine.[55][56] |
S0154 | Cobalt Strike |
Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.[57][58] |
S0244 | Comnie |
Comnie uses |
S0575 | Conti |
Conti can retrieve the ARP cache from the local system by using the |
S0488 | CrackMapExec |
CrackMapExec can collect DNS information from the targeted system.[61] |
S1024 | CreepySnail |
CreepySnail can use |
S0115 | Crimson |
Crimson contains a command to collect the victim MAC address and LAN IP.[63][64] |
S0625 | Cuba |
Cuba can retrieve the ARP cache from the local system by using |
S0687 | Cyclops Blink |
Cyclops Blink can use the Linux API |
G0012 | Darkhotel |
Darkhotel has collected the IP address and network adapter information from the victim’s machine.[68][69] |
S1052 | DEADEYE |
DEADEYE can discover the DNS domain name of a targeted system.[45] |
S0354 | Denis |
Denis uses |
S0659 | Diavol |
Diavol can enumerate victims' local and external IPs when registering with C2.[70] |
S0472 | down_new |
down_new has the ability to identify the MAC address of a compromised host.[25] |
G0035 | Dragonfly |
Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[71] |
S0567 | Dtrack |
Dtrack can collect the host's IP addresses using the |
S0038 | Duqu |
The reconnaissance modules used with Duqu can collect information on network configuration.[74] |
S0024 | Dyre |
Dyre has the ability to identify network settings on a compromised host.[75] |
G1006 | Earth Lusca |
Earth Lusca used the command |
S0605 | EKANS | |
S0081 | Elise |
Elise executes |
S0082 | Emissary |
Emissary has the capability to execute the command |
S0363 | Empire |
Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.[81][82] |
S0091 | Epic |
Epic uses the |
S0569 | Explosive |
Explosive has collected the MAC address from the victim's machine.[84] |
S0181 | FALLCHILL |
FALLCHILL collects MAC address and local IP address information from the victim.[85] |
S0512 | FatDuke |
FatDuke can identify the MAC address on the target computer.[86] |
S0171 | Felismus |
Felismus collects the victim LAN IP address and sends it to the C2 server.[87] |
S0267 | FELIXROOT |
FELIXROOT collects information about the network including the IP address and DHCP server.[88] |
G1016 | FIN13 |
FIN13 has used |
S0696 | Flagpro |
Flagpro has been used to execute the |
C0001 | Frankenstein |
During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.[82] |
S1044 | FunnyDream |
FunnyDream can parse the |
C0007 | FunnyDream |
During FunnyDream, the threat actors used ipconfig for discovery on remote systems.[92] |
G0093 | GALLIUM |
GALLIUM used |
S0049 | GeminiDuke |
GeminiDuke collects information on network settings and Internet proxy settings from the victim.[94] |
S0588 | GoldMax |
GoldMax retrieved a list of the system's network interface after execution.[95] |
S0531 | Grandoreiro |
Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.[96] |
S0237 | GravityRAT |
GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[97] |
S0690 | Green Lambert |
Green Lambert can obtain proxy information from a victim's machine using system environment variables.[98][99] |
S0632 | GrimAgent |
GrimAgent can enumerate the IP and domain of a target system.[100] |
G0125 | HAFNIUM | |
G1001 | HEXANE |
HEXANE has used Ping and |
G0126 | Higaisa |
Higaisa used |
S0431 | HotCroissant |
HotCroissant has the ability to identify the IP address of the compromised machine.[105] |
S0203 | Hydraq |
Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[106][107] |
S1022 | IceApple |
The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.[108] |
S0101 | ifconfig |
ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP. |
S0278 | iKitten | |
S0604 | Industroyer |
Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[110] |
S0260 | InvisiMole |
InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.[111][112] |
S0100 | ipconfig |
ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP. |
S0015 | Ixeshe |
Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.[113] |
S0044 | JHUHUGIT |
A JHUHUGIT variant gathers network interface card information.[114] |
S0201 | JPIN |
JPIN can obtain network information, including DNS, IP, and proxies.[115] |
S0283 | jRAT | |
S0265 | Kazuar | |
G0004 | Ke3chang |
Ke3chang has performed local network configuration discovery using |
S0487 | Kessel |
Kessel has collected the DNS address of the infected host.[41] |
S1020 | Kevin |
Kevin can collect the MAC address and other information from a victim machine using |
S0387 | KeyBoy |
KeyBoy can determine the public or WAN IP address for the system.[121] |
S0271 | KEYMARBLE |
KEYMARBLE gathers the MAC address of the victim’s machine.[122] |
G0094 | Kimsuky |
Kimsuky has used |
S0250 | Koadic |
Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.[124][125] |
S0641 | Kobalos |
Kobalos can record the IP address of the target machine.[126] |
S0356 | KONNI |
KONNI can collect the IP address from the victim’s machine.[127] |
S1075 | KOPILUWAK |
KOPILUWAK can use Arp to discover a target's network configuration setttings.[128] |
S0236 | Kwampirs |
Kwampirs collects network adapter and interface information by using the commands |
G0032 | Lazarus Group |
Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[130][131] |
S0395 | LightNeuron |
LightNeuron gathers information about network adapters using the Win32 API call |
S0513 | LiteDuke |
LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.[86] |
S0681 | Lizar |
Lizar can retrieve network information from a compromised host.[133] |
S0447 | Lokibot |
Lokibot has the ability to discover the domain name of the infected host.[134] |
S0451 | LoudMiner |
LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[135] |
S0532 | Lucifer |
Lucifer can collect the IP address of a compromised host.[136] |
S0409 | Machete |
Machete collects the MAC address of the target computer and other network configuration information.[137][138] |
S1016 | MacMa |
MacMa can collect IP addresses from a compromised host.[139] |
S1060 | Mafalda |
Mafalda can use the |
G0059 | Magic Hound |
Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[141][142][143] |
G0045 | menuPass |
menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[144] |
S1015 | Milan |
Milan can run |
S0084 | Mis-Type |
Mis-Type may create a file containing the results of the command |
S0149 | MoonWind | |
S0284 | More_eggs |
More_eggs has the capability to gather the IP address from the victim's machine.[148] |
G1009 | Moses Staff |
Moses Staff has collected the domain name of a compromised network.[149] |
S0256 | Mosquito | |
G0069 | MuddyWater |
MuddyWater has used malware to collect the victim’s IP address and domain name.[151] |
G0129 | Mustang Panda |
Mustang Panda has used |
S0205 | Naid | |
G0019 | Naikon |
Naikon uses commands such as |
S0228 | NanHaiShu |
NanHaiShu can gather information about the victim proxy server.[155] |
S0336 | NanoCore |
NanoCore gathers the IP address from the victim’s machine.[156] |
S0590 | NBTscan | |
S0102 | nbtstat |
nbtstat can be used to discover local NetBIOS domain names. |
S0691 | Neoichor |
Neoichor can gather the IP address from an infected host.[120] |
S0198 | NETWIRE |
NETWIRE can collect the IP address of a compromised host.[159][160] |
S1106 | NGLite |
NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.[161] |
S1100 | Ninja |
Ninja can enumerate the IP address on compromised systems.[162] |
S0359 | Nltest |
Nltest may be used to enumerate the parent domain of a local machine using |
S0353 | NOKKI | |
S0346 | OceanSalt | |
S0340 | Octopus |
Octopus can collect the host IP address from the victim’s machine.[166] |
G0049 | OilRig | |
S0439 | Okrum |
Okrum can collect network information, including the host IP address, DNS, and proxy information.[169] |
S0365 | Olympic Destroyer |
Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[170] |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used |
C0014 | Operation Wocao |
During Operation Wocao, threat actors discovered the local network configuration with |
S0229 | Orz | |
S0165 | OSInfo | |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[173][174] |
S0556 | Pay2Key |
Pay2Key can identify the IP and MAC addresses of the compromised host.[175] |
S1050 | PcShare |
PcShare can obtain the proxy settings of a compromised machine using |
S0587 | Penquin |
Penquin can report the IP of the compromised host to attacker controlled infrastructure.[176] |
S1031 | PingPull |
PingPull can retrieve the IP address of a compromised host.[177] |
S0501 | PipeMon |
PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[178] |
S0124 | Pisloader |
Pisloader has a command to collect the victim's IP address.[179] |
S0254 | PLAINTEE |
PLAINTEE uses the |
S0378 | PoshC2 | |
S0139 | PowerDuke |
PowerDuke has a command to get the victim's domain and NetBIOS name.[182] |
S0441 | PowerShower |
PowerShower has the ability to identify the current Windows domain of the infected host.[183] |
S0223 | POWERSTATS |
POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.[184][185] |
S0184 | POWRUNER |
POWRUNER may collect network configuration data by running |
S0113 | Prikormka |
A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[187] |
S0238 | Proxysvc |
Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[188] |
S0192 | Pupy |
Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.[189] |
S0583 | Pysa |
Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[190] |
S0650 | QakBot |
QakBot can use |
S0269 | QUADAGENT |
QUADAGENT gathers the current domain the victim system belongs to.[196] |
S0262 | QuasarRAT |
QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string |
S1076 | QUIETCANARY |
QUIETCANARY can identify the default proxy setting on a compromised host.[128] |
S0458 | Ramsay |
Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[198] |
S0241 | RATANKBA |
RATANKBA gathers the victim’s IP address via the |
S0172 | Reaver | |
S0153 | RedLeaves |
RedLeaves can obtain information about network parameters.[144] |
S0125 | Remsec |
Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[202] |
S0379 | Revenge RAT |
Revenge RAT collects the IP address and MAC address from the system.[203] |
S0433 | Rifdoor |
Rifdoor has the ability to identify the IP address of the compromised host.[204] |
S0448 | Rising Sun |
Rising Sun can detect network adapter and IP address information.[205] |
S0270 | RogueRobin |
RogueRobin gathers the IP address and domain from the victim’s machine.[206] |
S0103 | route |
route can be used to discover routing configuration information. |
S1073 | Royal | |
S0446 | Ryuk |
Ryuk has called |
S0085 | S-Type | |
S1018 | Saint Bot |
Saint Bot can collect the IP address of a victim machine.[210] |
S1085 | Sardonic |
Sardonic has the ability to execute the |
S0461 | SDBbot |
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[212] |
S0596 | ShadowPad |
ShadowPad has collected the domain name of the victim system.[213] |
S0140 | Shamoon |
Shamoon obtains the target's IP address and local network segment.[214][215] |
S0450 | SHARPSTATS |
SHARPSTATS has the ability to identify the domain of the compromised host.[185] |
S0445 | ShimRatReporter |
ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.[216] |
S0589 | Sibot |
Sibot checked if the compromised system is configured to use proxies.[95] |
G1008 | SideCopy |
SideCopy has identified the IP address of a compromised host.[3] |
S0610 | SideTwist |
SideTwist has the ability to collect the domain name on a compromised host.[217] |
G0121 | Sidewinder |
Sidewinder has used malware to collect information on network interfaces, including the MAC address.[218] |
S0633 | Sliver |
Sliver has the ability to gather network configuration information.[219] |
S1035 | Small Sieve |
Small Sieve can obtain the IP address of a victim host.[220] |
S1124 | SocGholish |
SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.[221][222][223] |
S0516 | SoreFang |
SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via |
S0374 | SpeakUp | |
S0646 | SpicyOmelette |
SpicyOmelette can identify the IP of a compromised system.[226] |
S1030 | Squirrelwaffle |
Squirrelwaffle has collected the victim’s external IP address.[227] |
S1037 | STARWHALE |
STARWHALE has the ability to collect the IP address of an infected host.[228] |
G0038 | Stealth Falcon |
Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[229] |
S0491 | StrongPity |
StrongPity can identify the IP address of a compromised host.[230] |
S0603 | Stuxnet |
Stuxnet collects the IP address of a compromised system.[231] |
S0559 | SUNBURST |
SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[232] |
S0018 | Sykipot |
Sykipot may use |
S0060 | Sys10 |
Sys10 collects the local IP address of the victim and sends it to the C2.[154] |
S0663 | SysUpdate |
SysUpdate can collected the IP address and domain name of a compromised host.[234] |
S0098 | T9000 |
T9000 gathers and beacons the MAC and IP addresses during installation.[235] |
S0011 | Taidoor |
Taidoor has collected the MAC address of a compromised host; it can also use |
S0467 | TajMahal |
TajMahal has the ability to identify the MAC address on an infected host.[238] |
G0139 | TeamTNT | |
G0027 | Threat Group-3390 |
Threat Group-3390 actors use NBTscan to discover vulnerable systems.[240] |
S0678 | Torisma |
Torisma can collect the local MAC address using |
S0266 | TrickBot |
TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[242][243][57] |
S0094 | Trojan.Karagany |
Trojan.Karagany can gather information on the network configuration of a compromised host.[244] |
G0081 | Tropic Trooper |
Tropic Trooper has used scripts to collect the host's network topology.[245] |
S0436 | TSCookie |
TSCookie has the ability to identify the IP of the infected host.[246] |
S0647 | Turian |
Turian can retrieve the internal IP address of a compromised host.[247] |
G0010 | Turla |
Turla surveys a system upon check-in to discover network configuration details using the |
S0130 | Unknown Logger |
Unknown Logger can obtain information about the victim's IP address.[251] |
S0275 | UPPERCUT |
UPPERCUT has the capability to gather the victim's proxy information.[252] |
S0452 | USBferry |
USBferry can detect the infected machine's network topology using |
S0476 | Valak |
Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.[253] |
S0257 | VERMIN | |
S0180 | Volgmer |
Volgmer can gather the IP address from the victim's machine.[255] |
G1017 | Volt Typhoon |
Volt Typhoon has executed multiple commands to enumerate network topology and settings including |
S0366 | WannaCry |
WannaCry will attempt to determine the local network segment it is a part of.[257] |
S0515 | WellMail |
WellMail can identify the IP address of the victim system.[258] |
S0514 | WellMess |
WellMess can identify the IP address and user domain on the target machine.[259][260] |
G0102 | Wizard Spider |
Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet |
S1065 | Woody RAT |
Woody RAT can retrieve network interface and proxy information.[263] |
S0341 | Xbash |
Xbash can collect IP addresses and local intranet information from a victim’s machine.[264] |
S0653 | xCaon |
xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.[42] |
S0248 | yty | |
S0251 | Zebrocy | |
S0230 | ZeroT |
ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[267] |
G0128 | ZIRCONIUM |
ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[268] |
S0350 | zwShell |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
DS0009 | Process | OS API Execution |
Monitor for API calls (such as |
Process Creation |
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process
|
||
DS0012 | Script | Script Execution |
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |