T1016 · discovery · 38 actors · 4 correlated reports

System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface). Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

Observed actors

SideCopy
G1008GALLIUM
G0093APT3
G0022Kimsuky
G0094admin@338
G0018Volt Typhoon
G1017APT41
G0096Dragonfly
G0035menuPass
G0045APT32
G0050HAFNIUM
G0125MuddyWater
G0069Naikon
G0019TeamTNT
G0139Sandworm Team
G0034Sidewinder
G0121Mustang Panda
G0129ZIRCONIUM
G0128Moses Staff
G1009OilRig
G0049Higaisa
G0126Tropic Trooper
G0081Ke3chang
G0004APT1
G0006Turla
G0010Stealth Falcon
G0038Chimera
G0114Darkhotel
G0012Lazarus Group
G0032Earth Lusca
G1006Wizard Spider
G0102Moonstone Sleet
G1036Play
G1040HEXANE
G1001Magic Hound
G0059Threat Group-3390
G0027FIN13
G1016APT19
G0073

Correlated CTI and IR reports

ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research