Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or <code>net view</code> using Net. Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_armor | Cloud Armor | technique_scores | T1018 | Remote System Discovery |
Comments
This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery. Activity originating from inside the trusted network is not mitigated.
References
|
| chronicle | Chronicle | technique_scores | T1018 | Remote System Discovery |
Comments
Chronicle attempts to identify remote
systems via ping sweep. This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral
References
|
| firewalls | Firewalls | technique_scores | T1018 | Remote System Discovery |
Comments
Google Cloud Firewalls can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall.
References
|
| virtual_private_cloud | Virtual Private Cloud | technique_scores | T1018 | Remote System Discovery |
Comments
VPC security perimeters can segment private resources to deny traffic based on organizational policy.
References
|