Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or
net view using Net.
Adversaries may also analyze data from local host files (ex:
/etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g.
show cdp neighbors,
During C0015, the threat actors used the commands
Comnie runs the
Earth Lusca used the command
FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.
HermeticWizard can find machines on the local network by gathering known local IP addresses through
menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command
Turla surveys a system upon check-in to discover remote systems on a local network using the
Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.
Monitor for files (such as
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
Monitor for newly executed processes that can be used to discover remote systems, such as