# T1018 Remote System Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network.(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  


## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

Monitor for processes that can be used to discover remote systems, such as <code>ping.exe</code> and <code>tracert.exe</code>, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL)

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Data Sources:

  * **Command:** Command Execution

  * **Network Traffic:** Network Connection Creation

  * **Process:** Process Creation

  * **File:** File Access

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Indrik Spider | [Indrik Spider](https://attack.mitre.org/groups/G0119) has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.(Citation: Symantec WastedLocker June 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) used [AdFind](https://attack.mitre.org/software/S0552) to enumerate remote systems.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has used Angry IP Scanner to detect remote systems.(Citation: CISA AA20-259A Iran-Based Actor September 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) can use the <code>ping</code> command to discover remote systems.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has utilized various scans and queries to find domain controllers and remote services in the target environment.(Citation: NCC Group Chimera January 2021)| 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has looked for IP addresses in the known_hosts file on the infected system and attempted to SSH into them.(Citation: Talos Rocke August 2018)	| 
| Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. [Wizard Spider](https://attack.mitre.org/groups/G0102) has also used [AdFind](https://attack.mitre.org/software/S0552) and <code>nltest/dclist</code> to enumerate domain computers, including the domain controller.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: CrowdStrike Grim Spider May 2019)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DFIR Ryuk's Return October 2020)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used a modified version of [NBTscan](https://attack.mitre.org/software/S0590) to identify available NetBIOS name servers over the network as well as <code>ping</code> to identify remote systems.(Citation: Cybereason Soft Cell June 2019)| 
| Silence | [Silence](https://attack.mitre.org/groups/G0091) has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.(Citation: Group IB Silence Sept 2018)	| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) has used [NBTscan](https://attack.mitre.org/software/S0590) and custom tools to discover remote systems.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: Symantec Chafer February 2018)| 
| Leafminer | [Leafminer](https://attack.mitre.org/groups/G0077) used Microsoft’s Sysinternals tools to gather detailed information about remote systems.(Citation: Symantec Leafminer July 2018)| 
| FIN8 | [FIN8](https://attack.mitre.org/groups/G0061) has used [dsquery](https://attack.mitre.org/software/S0105) and other Active Directory utilities to enumerate hosts; they have also used <code>nltest.exe /dclist</code> to retrieve a list of domain controllers.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021)| 
| FIN5 | [FIN5](https://attack.mitre.org/groups/G0053) has used the open source tool Essential NetTools to map the network and build a list of targets.(Citation: Mandiant FIN5 GrrCON Oct 2016)| 
| BRONZE BUTLER | [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) typically use <code>ping</code> and [Net](https://attack.mitre.org/software/S0039) to enumerate systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) has enumerated DC servers using the command <code>net group "Domain Controllers" /domain</code>. The group has also used the <code>ping</code> command.(Citation: Cybereason Cobalt Kitty 2017)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) uses scripts to enumerate IP ranges on the victim network. [menuPass](https://attack.mitre.org/groups/G0045) has also issued the command <code>net view /domain</code> to a [PlugX](https://attack.mitre.org/software/S0013) implant to gather information about remote systems on the network.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)| 
| FIN6 | [FIN6](https://attack.mitre.org/groups/G0037) used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.(Citation: FireEye FIN6 April 2016)| 
| Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has likely obtained a list of hosts in the victim environment.(Citation: US-CERT TA18-074A)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.(Citation: ESET Telebots Dec 2016)(Citation: Dragos Crashoverride 2018) | 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used the <code>net view</code> command.(Citation: Nccgroup Emissary Panda May 2018)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can detect the existence of remote systems.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)| 
| Naikon | [Naikon](https://attack.mitre.org/groups/G0019) has used a netbios scanner for remote machine identification.(Citation: Bitdefender Naikon April 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used [AdFind](https://attack.mitre.org/software/S0552) to enumerate remote systems.(Citation: Microsoft Deep Dive Solorigate January 2021)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover remote systems on a local network using the <code>net view</code> and <code>net view /DOMAIN</code> commands. [Turla](https://attack.mitre.org/groups/G0010) has also used <code>net group "Domain Computers" /domain</code>, <code>net group "Domain Controllers" /domain</code>, and <code>net group "Exchange Servers" /domain</code> to enumerate domain computers, including the organization's DC and Exchange Server.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)| 
| Deep Panda | [Deep Panda](https://attack.mitre.org/groups/G0009) has used ping to identify other machines of interest.(Citation: Alperovitch 2014)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) has used network scanning and enumeration tools, including [Ping](https://attack.mitre.org/software/S0097).(Citation: NCC Group APT15 Alive and Strong)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1018)

  * [Cisa Ar21-126A Fivehands May 2021](https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a), CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

  * [Elastic - Koadiac Detection With Eql](https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql), Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

  * [Capec](https://capec.mitre.org/data/definitions/292.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use LOL bins and custom tools to enumerate the network during early operations of an intrusion.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Turla | 1 | |

#### AdFind	
- has the ability to query Active Directory for computers.

#### APT29	
- has used AdFind to enumerate remote systems.

#### Turla	
- surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands. Turla has also used net group "Domain Computers" /domain, net group "Domain Controllers" /domain, and net group "Exchange Servers" /domain to enumerate domain computers, including the organization's DC and Exchange Server.
- normally runs such as gpresult, netstat, nslookup, ipconifg, arp, systeminfo, dir, route, ipconfig. As identified from the report on ComRAT.

## Detection Blindspots

- The vast majority of detection events may be normal admin use. Ensure accounts running commands are valid and utilization is normal admin behavior.
- Encrypted traffic may make it difficult to identify packet payload.
- Incorrect sensor placement may not provide full visibility of traffic needed to identify this TTP.

## Analytical References

  * [ESET Turla ComRAT 2020 (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf)
  * [The Epic Turla Operations (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [Not So Cozy - An Examination of a Suspected APT29 Phishing Campaign (fireeye)](https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html)
  * [Deep Dive into the Solorigate Second Stage Activation from Sunburst to Teardrop and Raindrop 2021 (microsoft)](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/)
  * [bzar (github)](https://github.com/mitre-attack/bzar)
  * [Mitre ATT&CK T1018](https://attack.mitre.org/techniques/T1018)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used.
- In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.

#### Analytic 1

  * **Information:** Identifies the use of the Net utility for remote system discovery (Turla TTP).

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event.category:process and event.type:(start or process_started) and (process.name:net.exe or process.name:net1.exe and not process.parent.name:net.exe) and process.args:(view or (view /DOMAIN) or (group "Domain Computers" /domain) or (net group "Domain Controllers" /domain) or (net group "Exchange Servers" /domain) )```

#### Analytic 2

  * **Information:** AdFind

  * **Source:**ex Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** Attackers executed multiple times the legitimate ADFIND tool to enumerate domains, remote systems, accounts and to discover trust between federated domains. The tool was executed with a renamed filename chosen to blend into the existing environment or mimicking existing network services.
      - Some examples of [renamed-adfind] observed by Microsoft and other security researchers::
           - SearchIndex.exe
           - sqlceip.exe
           - postgres.exe
           - IxNetwork.exe
           - csrss.exe


  * **Query:** ```[renamed-adfind].exe -h [internal domain] -sc u:[user] > .\\[machine]\[file].[log|txt]```
  * **Query:** ```[renamed-adfind].exe -sc u:* > .\[folder]\[file].[log|txt]```
  * **Query:** ```[renamed-adfind].exe -h [machine] -f (name=”Domain Admins”) member -list | [renamed-adfind].exe -h [machine] -f objectcategory=* > .\[folder]\[file].[log|txt]```

#### Analytic 3

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Query:** ```event_id:1 AND command_line:"net view*"```

  * **Query:** ```event_id:1 AND command_line:"net group*"```

  * **Query:** ```event_id:1 AND command_line:"*etc\hosts"```







-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- If multiple instances of DCE-RPC Discovery indicators are observed originating from the same host, within a specified period of time further analysis should be conducted.
- Relevant indicators: These will be seen in Moloch dcerpc.cmd and dcerpc.api fields.
- See T1570 - Lateral Tool Transfer for more network analytics.
- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used.
- In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.

#### Analytic 1 (Turla)

  * **Information:** Monitor for ping sweeps, port scans, netbios traffic

  * **Source:** PCAP

  * **Tool:** Arkime, Kibana

  * **Notes:** 

  * **Query:** ```protocols == icmp && ip.src == <internal or external> && ip.dst == <internal>```
  * **Query:** ```port == 137-139 && ip.src == <internal> && ip.dst == <internal>```

#### Analytic 2 (Turla)

  * **Information:** Monitor for possible DCERPC commands originating from one host executing multiple commands.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query:** ```dcerpc.cmd == EXSITS! || dcerpc.api == EXISTS! <modify as needed>```

#### Analytic 3 (Turla)

  * **Information:** Monitor for port scans. This should be used after the suspicious of possible scanning has been identified, as there is no good starting point to looking at all ports.

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query:** ```ip.src == <ip of interest>  && port.dst == <ports>```


#### Analytic 4 (Turla)

  * **Information:** If multiple instances of DCE-RPC Discovery indicators are observed originating from the same host, within a specified period of time further analysis should be conducted.

  * **Information:** Identify possible system discovery attempted by an adversary that may allow them to further gather network information and set up for lateral movement across the network. Example: The LsaLookupNames function retrieves the security identifiers (SIDs) that correspond to an array of user, group, or local group names, good for recon and discovery. 

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** The bold titles are dcerpc api service, the bullets contain the commands for those services:

  **LSARPC - (Local Security Authority Remote Procedure Call)**
 - LsarEnumerateAccounts
 - LsarLookupNames4
 - LsarEnumerateAccountRights
 - LsarLookupPrivilegeDisplayName
 - LsarEnumerateAccountsWithUserRight
 - LsarLookupPrivilegeName
 - LsarEnumeratePrivileges
 - LsarLookupPrivilegeValue
 - LsarEnumeratePrivilegesAccount
 - LsarLookupSids
 - LsarEnumerateTrustedDomainsEx
 - LsarLookupSids2
 - LsarGetSystemAccessAccount
 - LsarLookupSids3
 - LsarGetUserName
 - LsarQueryDomainInformationPolicy
 - LsarLookupNames
 - LsarQueryInfoTrustedDomain
 - LsarLookupNames2
 - LsarQueryInformationPolicy
 - LsarLookupNames3
 - LsarQueryInformationPolicy2
 - LsarQueryTrustedDomainInfo
 - LsarQueryTrustedDomainInfoByName

  **SAMR - (Security Account Manager Remote Protocol)**
 - SamrLookupNamesInDomain
 - SamrEnumerateDomainsInSamServer
 - SamrLookupIdsInDomain	
 - SamrQueryInformationAlias
 - SamrLookupDomainInSamServer
 - SamrQueryInformationDomain
 - SamrGetGroupsForUser
 - SamrQueryInformationDomain2
 - SamrGetAliasMembership
 - SamrQueryInformationGroup
 - SamrGetMembersInAlias
 - SamrQueryInformationUser
 - SamrGetMembersInGroup
 - SamrQueryInformationUser2
 - SamrGetUserDomainPasswordInformation
 - SamrQueryDisplayInformation
 - SamrEnumerateAliasesInDomain
 - SamrQueryDisplayInformation2
 - SamrEnumerateUsersInDomain
 - SamrQueryDisplayInformation3
 - SamrEnumerateGroupsInDomain

  **SRVSVC - (Server Service Remote Protocol)**
 - NetrServerGetInfo
 - NetrShareEnum
 - NetrSessionEnum
 - NetrServerTransportEnum
 - NetrServerGetInfo
 - NetrServerAliasEnum
 - NetrRemoteTOD	
 - NetrFileEnum	
 - NetrConnectionEnum

  **WKSSVC - (Workstation Service Remote Protocol)**
 - NetrWkstaGetInfo
 - NetrWkstaTransportEnum
 - NetrWkstaUserEnum
 
  * **Query:** ```dcerpc.api == [lsarpc, samr, srvsvc, wkssvc] <look at api's individually to allow for better analysis>```
  * **Query:** ```dcerpc.cmd == LsarLookupNames4 <modify as needed>```

