T1018.md

T1018 - Remote System Discovery

Description from ATT&CK

Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.

Windows

Examples of tools and commands that acquire this information include "ping" or "net view" using Net. The contents of the C:\Windows\System32\Drivers\etc\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system.

Mac

Specific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.

Linux

Utilities such as "ping" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.

Cloud

In cloud environments, the above techniques may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs with information about remote systems and services.

Atomic Tests

• Atomic Test #1 - Remote System Discovery - net

• Atomic Test #2 - Remote System Discovery - net group Domain Computers

• Atomic Test #3 - Remote System Discovery - nltest

• Atomic Test #4 - Remote System Discovery - ping sweep

• Atomic Test #5 - Remote System Discovery - arp

• Atomic Test #6 - Remote System Discovery - arp nix

• Atomic Test #7 - Remote System Discovery - sweep

• Atomic Test #8 - Remote System Discovery - nslookup

Atomic Test #1 - Remote System Discovery - net

Identify remote systems with net.exe.

Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net view /domain
net view

Atomic Test #2 - Remote System Discovery - net group Domain Computers

Identify remote systems with net.exe querying the Active Directory Domain Computers group.

Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net group "Domain Computers" /domain

Atomic Test #3 - Remote System Discovery - nltest

Identify domain controllers for specified domain.

Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
target_domain	Domain to query for domain controllers	String	domain.local

Attack Commands: Run with command_prompt!

nltest.exe /dclist:#{target_domain}

Atomic Test #4 - Remote System Discovery - ping sweep

Identify remote systems via ping sweep.

Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

Atomic Test #5 - Remote System Discovery - arp

Identify remote systems via arp.

Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

arp -a

Atomic Test #6 - Remote System Discovery - arp nix

Identify remote systems via arp.

Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

arp -a | grep -v '^?'

Dependencies: Run with sh!

Description: Check if arp command exists on the machine

Check Prereq Commands:

if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; 

Get Prereq Commands:

echo "Install arp on the machine."; exit 1;

Atomic Test #7 - Remote System Discovery - sweep

Identify remote systems via ping sweep.

Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.

Supported Platforms: Linux, macOS

Inputs:

Name	Description	Type	Default Value
subnet	Subnet used for ping sweep.	string	192.168.1
start_host	Subnet used for ping sweep.	string	1
stop_host	Subnet used for ping sweep.	string	254

Attack Commands: Run with sh!

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

Atomic Test #8 - Remote System Discovery - nslookup

Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.

Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}