T1018.md

T1018 - Remote System Discovery

Description from ATT&CK

Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.

Windows

Examples of tools and commands that acquire this information include "ping" or "net view" using Net.

Mac

Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems.

Linux

Utilities such as "ping" and others can be used to gather information about remote systems.

Atomic Tests

• Atomic Test #1 - Remote System Discovery - net

• Atomic Test #2 - Remote System Discover - ping sweep

• Atomic Test #3 - Remote System Discover - arp

• Atomic Test #4 - Remote System Discovery - arp nix

• Atomic Test #5 - Remote System Discovery - sweep

Atomic Test #1 - Remote System Discovery - net

Identify remote systems with net.exe

Supported Platforms: Windows

Run it with command_prompt!

net view /domain
net view

Atomic Test #2 - Remote System Discover - ping sweep

Identify remote systems via ping sweep

Supported Platforms: Windows

Run it with command_prompt!

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

Atomic Test #3 - Remote System Discover - arp

Identify remote systems via arp

Supported Platforms: Windows

Run it with command_prompt!

arp -a

Atomic Test #4 - Remote System Discovery - arp nix

Identify remote systems via arp

Supported Platforms: Linux, macOS

Run it with sh!

arp -a | grep -v '^?'

Atomic Test #5 - Remote System Discovery - sweep

Identify remote systems via ping sweep

Supported Platforms: Linux, macOS

Run it with sh!

for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done