Remote System Discovery (T1018)

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment. Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network.(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

GTsST Iron Viking AWFULSHRED

2022-06-22

/static/assets/linux-logo.svg
SSH worm which installs a wiper on the machine it has infected
Sliver BOF and Execute-Assembly

2022-03-01

/static/assets/windows-logo.svg
Add a COFF loader, run BOFs and execute-assembly ttps.
Conti Local and Remote Discovery

2022-01-18

/static/assets/windows-logo.svg
Using the Jambi agent from the initial access chain, discover local services, active directory objects, and check the box for PrintNightmare.
Conti (Discovery)

2021-09-21

/static/assets/windows-logo.svg
Perform the initial discovery and credential access techniques used in Conti ransomware playbook.