EXPLORE

← Back to Explore

T1016

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/softwar...

ESXiLinuxmacOSNetwork DevicesWindows

35

Detections

3

Sources

42

Threat Actors

BY SOURCE

18elastic9sigma8splunk_escu

PROCEDURES (21)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

Dns3 detections

Auto-extracted: 3 detections for dns

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Api3 detections

Auto-extracted: 3 detections for api

Unusual3 detections

Auto-extracted: 3 detections for unusual

Child Process2 detections

Auto-extracted: 2 detections for child process

Remote2 detections

Auto-extracted: 2 detections for remote

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

C21 detections

Auto-extracted: 1 detections for c2

C21 detections

Auto-extracted: 1 detections for c2

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Lateral1 detections

Auto-extracted: 1 detections for lateral

Service1 detections

Auto-extracted: 1 detections for service

DETECTIONS (35)

Active Directory Discovery using AdExplorer

AdFind Command Activity

Cisco Discovery

Cisco NVM - Suspicious Network Connection to IP Lookup Service API

Discovery Command Output Written to Suspicious File

DNS Enumeration Detected via Defend for Containers

DNS Request for IP Lookup Service via Unsigned Binary

Enumeration Command Spawned via WMIPrvSE

External IP Address Discovery via Curl

Firewall Configuration Discovery Via Netsh.EXE

Linux Auditd System Network Configuration Discovery

Linux System Network Discovery

Nltest.EXE Execution

OpenCanary - SNMP OID Request

Potential Meterpreter Reverse Shell

Potential Recon Activity Via Nltest.EXE

Potential System Network Configuration Discovery Activity

PowerShell Suspicious Discovery Related Windows API Functions

Suspicious JetBrains TeamCity Child Process

Suspicious MS Office Child Process

Suspicious Network Command

Suspicious Network Connection to IP Lookup Service APIs

Suspicious PDF Reader Child Process

Suspicious System Commands Executed by Previously Unknown Executable

System and Network Configuration Check

System Network Discovery - Linux

sigmainformational

System Network Discovery - macOS

sigmainformational

System Public IP Discovery via DNS Query

Unusual Instance Metadata Service (IMDS) API Request

Unusual Linux Network Configuration Discovery

Windows Common Abused Cmd Shell Risk Behavior

Windows Post Exploitation Risk Behavior

Windows PowerShell Invoke-RestMethod IP Information Collection

Windows System Network Config Discovery Display DNS

Wireless Credential Dumping using Netsh Command