# T1016 System Network Configuration Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes.(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use  commands being run by non-standard users from non-standard locations.  Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Data Sources:

  * **Process:** OS API Execution

  * **Command:** Command Execution

  * **Process:** Process Creation

  * **Script:** Script Execution

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) looks for the host machine’s IP address.(Citation: Trend Micro TeamTNT)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>ipconfig</code> and <code>arp</code> to determine network configuration information.(Citation: Avira Mustang Panda January 2020)| 
| ZIRCONIUM | [ZIRCONIUM](https://attack.mitre.org/groups/G0128) has used a tool to enumerate proxy settings in the target environment.(Citation: Zscaler APT31 Covid-19 October 2020)| 
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used <code>ipconfig</code> to gather network configuration information.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)| 
| Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used malware to collect information on network interfaces, including the MAC address.(Citation: ATT Sidewinder January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has discovered the local network configuration with ipconfig.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used [ipconfig](https://attack.mitre.org/software/S0100), [Ping](https://attack.mitre.org/software/S0097), and <code>tracert</code> to enumerate the IP address and network environment and settings of the local host.(Citation: NCC Group Chimera January 2021)| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used "ipconfig" to identify the network configuration of a victim machine.(Citation: Sophos New Ryuk Attack October 2020)| 
| Frankenstein | [Frankenstein](https://attack.mitre.org/groups/G0101) has enumerated hosts, looking for the public IP address of the system.(Citation: Talos Frankenstein June 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) collected MAC addresses from victim machines.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) | 
| Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used `ipconfig/all` to gather network configuration information.(Citation: Talos Kimsuky Nov 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used <code>ipconfig /all</code> to obtain information about the victim network configuration. The group also ran a modified version of [NBTscan](https://attack.mitre.org/software/S0590) to identify available NetBIOS name servers.(Citation: Cybereason Soft Cell June 2019)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has used scripts to collect the host's network topology.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| APT19 | [APT19](https://attack.mitre.org/groups/G0073) used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.(Citation: Unit 42 C0d0so0 Jan 2016)| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used malware to collect the victim’s IP address and domain name.(Citation: Securelist MuddyWater Oct 2018)| 
| Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) malware gathers the victim's local IP address, MAC address, and external IP address.(Citation: Unit 42 Magic Hound Feb 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used the <code>ipconfig /all</code> command to gather the IP address from the system.(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has run <code>ipconfig /all</code> on a victim.(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.(Citation: PWC Cloud Hopper Technical Annex April 2017)| 
| Stealth Falcon | [Stealth Falcon](https://attack.mitre.org/groups/G0038) malware gathers the Address Resolution Protocol (ARP) table from the victim.(Citation: Citizen Lab Stealth Falcon May 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) checks for connectivity to other resources in the network.(Citation: Dragos Crashoverride 2018) | 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors use [NBTscan](https://attack.mitre.org/software/S0590) to discover vulnerable systems.(Citation: Dell TG-3390)| 
| APT3 | A keylogging tool used by [APT3](https://attack.mitre.org/groups/G0022) gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) uses commands such as <code>netsh interface show</code> to discover network interface settings.(Citation: Baumgartner Naikon 2015)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command after exploiting a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to acquire information about local networks: <code>ipconfig /all >> %temp%\download</code>(Citation: FireEye admin@338)| 
| Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has collected the IP address and network adapter information from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover network configuration details using the <code>arp -a</code>, <code>nbtstat -n</code>, <code>net config</code>, <code>ipconfig /all</code>, and <code>route</code> commands, as well as [NBTscan](https://attack.mitre.org/software/S0590).(Citation: Kaspersky Turla)(Citation: Symantec Waterbug Jun 2019)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also retrieved registered RPC interface information from process memory.(Citation: ESET Turla PowerShell May 2019)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the <code>ipconfig /all</code> command to gather network configuration information.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has performed local network configuration discovery using <code>ipconfig</code>.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1016)

  * [Mandiant Apt41 Global Intrusion ](https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits), Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/309.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis


## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla| 1 | |

#### Turla 
 - Surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, nbtscan, net config, ipconfig /all, and route commands. Turla RPC backdoors have also retrieved registered RPC interface information from process memory.

## Detection Blindspots

- Information Here

## Analytical References

  * [Atomic Red Team T1016 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md)
  * [Poking Holes in the Firewall - Egress Testing with All Ports Exposed (blackhillsinfosec)](https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [Waterbug Espionage Governments (security.com)](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/waterbug-espionage-governments)
  * [ESET Turla ComRAT 2020 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)
  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.
- This technique is not all-inclusive. Operators should look for Remote System Discovery(T1018), System Service Discovery(T1007), and System Network Connections Discovery(T1049)
- See Turla: T1570 - Lateral Tool Transfer for network analytics.
- The use of these commands are not inherently bad, and these events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.
- Monitor processes and command-line arguments for actions that could be taken to gather system information related to services.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather network information

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_id : (1 or 5 or 4688 or 4689) AND process.name : (nbtstat.exe or ipconfig.exe or netstat.exe or route.exe or arp.exe or nbtscan.exe or net.exe or net1.exe or netsh.exe or pathping.exe or tracert.exe)```

#### Analytic 2

  * **Information:** Look for wmic executions with net* or nic* aliases being used

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```process.name : wmic.exe AND process.command.line : *NET* OR *NIC* OR *PORT*```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Use SumStats to raise a **Bro/Zeek Notice event** if multiple instances of DCE-RPC Discovery indicators are observed originating from the same host, within a specified period of time.

- Example indicators
  - lsarpc::LsarEnumerateAccounts
  - lsarpc::LsarEnumerateAccountRights
  - lsarpc::LsarEnumerateAccountsWithUserRight
  - samr::SamrLookupNamesInDomain
  - samr::SamrLookupIdsInDomain
  - samr::SamrLookupDomainInSamServer
  - srvsvc::NetrConnectionEnum
  - srvsvc::NetrFileEnum
  - srvsvc::NetrRemoteTOD


#### Analytic 1

  * **Information:** Zeek will be tracking all ATT&CK like activity and findings will be placed into the `notice.log`. **ATTACK::DISCOVERY** can be filtered in kibana to identify specific techniques such at T1016. Correlate multiple instances of DCE-RPC Discovery indicators (at least 3-4) from the same host and investigate.

  * **Source:** PCAP, Zeek logs

  * **Tool:** Zeek, Kibana

  * **Notes:** Use the zeek notice.log and idenify suspicious ATT&CK like activity to pivot on possible network configuration discovery.

  * **Query Kibana:** ```log.file.path: notice.log and rule.name: ATTACK* and rule.description: *discovery*```

#### Analytic 2

  * **Information:** Modiy the dcerpc.api to specific commands of interest and adjust the dcerpc commands being identified.
  

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** Arkime will parse most SMB and DCERPC traffic but is not as robust as Zeek. You must manually filter out for dcerpc commands and dcerpc api's.

  * **Query:** ```protocols == [smb, dcerpc] && dcerpc.api == [lsarpc, samr] && dcerpc.cmd == [SamrLookupNamesInDomain, SamrLookupIdsInDomain, LsarEnumerateAccounts, LsarEnumerateAccountRights]```

