EXPLORE

← Back to Explore

T1016

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/softwar...

ESXiLinuxmacOSNetwork DevicesWindows

39

Detections

3

Sources

43

Threat Actors

BY SOURCE

19elastic10sigma10splunk_escu

PROCEDURES (23)

Process Creation Monitoring4 detections

Auto-extracted: 4 detections for process creation monitoring

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Dns2 detections

Auto-extracted: 2 detections for dns

Remote2 detections

Auto-extracted: 2 detections for remote

Child Process2 detections

Auto-extracted: 2 detections for child process

Child Process2 detections

Auto-extracted: 2 detections for child process

Service1 detections

Auto-extracted: 1 detections for service

Service1 detections

Auto-extracted: 1 detections for service

Powershell1 detections

Auto-extracted: 1 detections for powershell

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Remote1 detections

Auto-extracted: 1 detections for remote

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Service1 detections

Auto-extracted: 1 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

C21 detections

Auto-extracted: 1 detections for c2

C21 detections

Auto-extracted: 1 detections for c2

DETECTIONS (39)

Active Directory Discovery using AdExplorer

AdFind Command Activity

Cisco Discovery

Cisco NVM - Suspicious Network Connection to IP Lookup Service API

Discovery Command Output Written to Suspicious File

DNS Enumeration Detected via Defend for Containers

DNS Request for IP Lookup Service via Unsigned Binary

Enumeration Command Spawned via WMIPrvSE

External IP Address Discovery via Curl

Firewall Configuration Discovery Via Netsh.EXE

Linux Auditd System Network Configuration Discovery

Linux System Network Discovery

Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet

MacOS List Firewall Rules

Nltest.EXE Execution

OpenCanary - SNMP OID Request

Potential Meterpreter Reverse Shell

Potential Recon Activity Via Nltest.EXE

Potential System Network Configuration Discovery Activity

PowerShell Suspicious Discovery Related Windows API Functions

Suspicious Instance Metadata Service (IMDS) API Command Line Execution

Suspicious Instance Metadata Service (IMDS) API Request

Suspicious JetBrains TeamCity Child Process

Suspicious MS Office Child Process

Suspicious Network Command

Suspicious Network Connection to IP Lookup Service APIs

Suspicious PDF Reader Child Process

Suspicious System Commands Executed by Previously Unknown Executable

System and Network Configuration Check

System Network Discovery - Linux

sigmainformational

System Network Discovery - macOS

sigmainformational

System Public IP Discovery via DNS Query

Unusual Linux Network Configuration Discovery

Windows Common Abused Cmd Shell Risk Behavior

Windows Post Exploitation Risk Behavior

Windows PowerShell Invoke-RestMethod IP Information Collection

Windows System Network Config Discovery Display DNS

Windows WinPEAS PowerShell Script Execution

Wireless Credential Dumping using Netsh Command