Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or <code>net view</code> using Net.
Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1018 | Remote System Discovery |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of remote system discovery attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while minimizing system performance impact.
Remote system discovery attacks involve adversaries scanning networks to identify and map out systems, devices, and services that can be exploited for further compromise. Attackers use tools and techniques to probe remote systems, gathering information about network shares, open ports, running services, and active hosts. Intel TDT plays a critical role in detecting these types of activities by providing real-time telemetry on program execution, memory access, and control flow, allowing security teams to quickly spot abnormal behaviors like unauthorized network scans, service discovery attempts, or unusual API calls related to system enumeration.
Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster, more efficient detection of malicious activity without impacting system performance. CAMS helps identify suspicious behaviors, such as unauthorized scanning processes or attempts to interact with remote systems for reconnaissance purposes.
References
|