Home
ATT&CK Techniques
T1018 Remote System Discovery

T1018 Remote System Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or <code>net view</code> using Net.

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.variety.Scan network	Enumerating the state of the network	related-to	T1018	Remote System Discovery
action.malware.variety.Scan network	Enumerating the state of the network	related-to	T1018	Remote System Discovery

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
microsoft_sentinel	Microsoft Sentinel	technique_scores	T1018	Remote System Discovery	Comments The Microsoft Sentinel Hunting "High reverse DNS count by host" and "Squid malformed requests" queries can indicate potentially malicious reconnaissance aimed at detecting network layout and the presence of network security devices. The Microsoft Sentinel Analytics "Several deny actions registered" query can identify patterns in Azure Firewall incidents, potentially indicating that an adversary is scanning resources on the network, at a default frequency of once per hour. Note that detection only occurs if the firewall prevents the scanning. The Microsoft Sentinel Analytics "Rare client observed with high reverse DNS lookup count" query can detect when a particular IP address performs an unusually high number of reverse DNS lookups and has not been observed doing so previously. The coverage for these queries is minimal resulting in an overall Minimal score. References https://learn.microsoft.com/en-us/azure/sentinel/overview https://learn.microsoft.com/en-us/azure/sentinel/hunting
azure_firewall	Azure Firewall	technique_scores	T1018	Remote System Discovery	Comments This control typically filters external network traffic and therefore can be effective for preventing external remote system discovery but such activity originating from inside the trusted network is not mitigated. Due to this partial protection coverage, it has been scored as Partial protection. References https://learn.microsoft.com/en-us/azure/firewall/overview

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
cloud_ngfw	Cloud Next-Generation Firewall (NGFW)_	technique_scores	T1018	Remote System Discovery	Comments Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall. References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']
google_secops	Google Security Operations	technique_scores	T1018	Remote System Discovery	Comments Google Security Ops attempts to identify remote systems via ping sweep. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/process_creation/remote_system_discovery___ping_sweep.yaral References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']
google_secops	Google Security Operations	technique_scores	T1018	Remote System Discovery	Comments Google Security Ops typically filters external network traffic and therefore can be effective for preventing external remote system discovery. Activity originating from inside the trusted network is not mitigated. References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']
vpc_service_controls	VPC Service Controls	technique_scores	T1018	Remote System Discovery	Comments VPC security perimeters can segment private resources to deny traffic based on organizational policy. References ['https://cloud.google.com/security/products/security-operations' 'https://cloud.google.com/chronicle/docs/secops/secops-overview' 'https://github.com/chronicle/detection-rules']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1018	Remote System Discovery	Comments VPC security groups and network access control lists (NACLs) can filter network traffic and therefore can be effective for mitigating network based remote system discovery. Other remote system discovery methods such as discovering hosts from local host files are not mitigated resulting in Partial coverage score and an overall score of Partial. References https://docs.aws.amazon.com/vpc/latest/userguide/security.html
aws_network_firewall	AWS Network Firewall	technique_scores	T1018	Remote System Discovery	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block adversaries from discovering endpoints behind the firewall. This mapping is given a score of Partial because it does not protect against discovering endpoints within the network and behind the firewall. References https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html

M365 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DEF-SECA-E3	Security Alerts	Technique Scores	T1018	Remote System Discovery	Comments Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR. References https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts