Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment. Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).
Open detection, hunting, mitigation, and evidence workspace
Detection logic
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.
Observed actors
G0119GALLIUM
G0093APT3
G0022Volt Typhoon
G1017APT41
G0096Dragonfly
G0035menuPass
G0045APT32
G0050HAFNIUM
G0125Naikon
G0019FIN6
G0037Leafminer
G0077Sandworm Team
G0034Rocke
G0106Scattered Spider
G1015APT39
G0087Akira
G1024Ke3chang
G0004Turla
G0010FIN5
G0053APT29
G0016Chimera
G0114BRONZE BUTLER
G0060Deep Panda
G0009Ember Bear
G1003ToddyCat
G1022Agrius
G1030Fox Kitten
G0117Earth Lusca
G1006Silence
G0091Wizard Spider
G0102Play
G1040HEXANE
G1001Magic Hound
G0059Threat Group-3390
G0027FIN8
G0061
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mentionAttack Playbook — Operation DragonRx
1200km CTI repository · explicit report mentionOperation DragonRx — APT41 Full Attack Simulation
1200km CTI repository · explicit report mentionOperation DragonRx: Simulating an APT41 Attack End-to-End — From Log4Shell to DFIR and Malware Analysis
1200km CTI repository · explicit report mentionAPT41 Targeting Pharmaceutical Sector Log4Shell to Domain Compromise
1200km Medium · authored report mentionATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mentionAttack Playbook Operation DragonRx
1200km Medium · authored report mentionOperation DragonRx Simulating an APT41 Attack End to End From Log4Shell to DFIR and Malware
1200km Medium · authored report mention