EXPLORE
Sign In
← Back to Explore
T1018

Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag p...

ESXiLinuxmacOSNetwork DevicesWindows
46
Detections
3
Sources
39
Threat Actors

BY SOURCE

20splunk_escu15sigma11elastic

PROCEDURES (23)

Process Creation Monitoring6 detections

Auto-extracted: 6 detections for process creation monitoring

Script Block4 detections

Auto-extracted: 4 detections for script block

Service3 detections

Auto-extracted: 3 detections for service

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Script Execution Monitoring3 detections

Auto-extracted: 3 detections for script execution monitoring

Wmi3 detections

Auto-extracted: 3 detections for wmi

Remote3 detections

Auto-extracted: 3 detections for remote

Kerbero3 detections

Auto-extracted: 3 detections for kerbero

Remote2 detections

Auto-extracted: 2 detections for remote

Lateral1 detections

Auto-extracted: 1 detections for lateral

Credential1 detections

Auto-extracted: 1 detections for credential

Privilege1 detections

Auto-extracted: 1 detections for privilege

Credential1 detections

Auto-extracted: 1 detections for credential

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Lateral1 detections

Auto-extracted: 1 detections for lateral

Dns1 detections

Auto-extracted: 1 detections for dns

Privilege1 detections

Auto-extracted: 1 detections for privilege

Lateral1 detections

Auto-extracted: 1 detections for lateral

Wmi1 detections

Auto-extracted: 1 detections for wmi

Remote1 detections

Auto-extracted: 1 detections for remote

Wmi1 detections

Auto-extracted: 1 detections for wmi

Dns1 detections

Auto-extracted: 1 detections for dns

THREAT ACTORS (39)

AgriusAkiraAPT3APT32APT39APT41BlackByteBRONZE BUTLERChimeraDeep PandaDragonflyEarth LuscaEmber BearFIN5FIN6FIN8Fox KittenGALLIUMHAFNIUMHEXANEIndrik SpiderKe3changLeafminerLotus BlossomMagic HoundMedusa GroupmenuPassMustang PandaNaikonPlayRockeSandworm TeamScattered SpiderSilenceThreat Group-3390ToddyCatTurlaVolt TyphoonWizard Spider

DETECTIONS (46)

Active Directory Computers Enumeration With Get-AdComputer
sigmalow
Active Directory Discovery using AdExplorer
elasticlow
AdFind Command Activity
elasticlow
Chopper Webshell Process Pattern
sigmahigh
Cisco Discovery
sigmalow
Cisco Secure Firewall - Blocked Connection
splunk_escu
Cisco Secure Firewall - Repeated Blocked Connections
splunk_escu
DirectorySearcher Powershell Exploitation
sigmamedium
DNS Enumeration Detected via Defend for Containers
elasticlow
Domain Controller Discovery with Nltest
splunk_escu
Domain Controller Discovery with Wmic
splunk_escu
Enumerating Domain Trusts via DSQUERY.EXE
elasticlow
Enumerating Domain Trusts via NLTEST.EXE
elasticlow
Enumeration Command Spawned via WMIPrvSE
elasticlow
GetAdComputer with PowerShell
splunk_escu
GetAdComputer with PowerShell Script Block
splunk_escu
GetDomainComputer with PowerShell
splunk_escu
GetDomainComputer with PowerShell Script Block
splunk_escu
GetDomainController with PowerShell
splunk_escu
GetDomainController with PowerShell Script Block
splunk_escu
GetWmiObject Ds Computer with PowerShell
splunk_escu
GetWmiObject Ds Computer with PowerShell Script Block
splunk_escu
Linux Remote System Discovery
sigmalow
Macos Remote System Discovery
sigmainformational
Nltest.EXE Execution
sigmalow
Potential Enumeration via Active Directory Web Service
elasticmedium
Potential Network Scan Executed From Host
elasticmedium
Potential Network Sweep Detected
elasticlow
Potential Subnet Scanning Activity from Compromised Host
elasticmedium
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
sigmamedium
PUA - AdFind Suspicious Execution
sigmahigh
PUA - Adidnsdump Execution
sigmalow
Remote System Discovery with Adsisearcher
splunk_escu
Remote System Discovery with Dsquery
splunk_escu
Remote System Discovery with Wmic
splunk_escu
Renamed AdFind Execution
sigmahigh
Share And Session Enumeration Using Net.EXE
sigmalow
Spike in Firewall Denies
elasticlow
Suspicious Scan Loop Network
sigmamedium
Webshell Detection With Command Line Keywords
sigmahigh
Webshell Hacking Activity Patterns
sigmahigh
Windows AdFind Exe
splunk_escu
Windows Get-AdComputer Unconstrained Delegation Discovery
splunk_escu
Windows PowerView Constrained Delegation Discovery
splunk_escu
Windows PowerView Unconstrained Delegation Discovery
splunk_escu
Windows PsTools Recon Usage
splunk_escu