Esc
System Network Configuration Discovery - T1016
(ATT&CK® Technique)
Definition
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1016["System Network Configuration Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1016 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1016 href "/offensive-technique/attack/T1016/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1016["System Network Configuration Discovery"] --> |may-execute| ExecutableScript["Executable Script"]; class T1016 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript";
click T1016 href "/offensive-technique/attack/T1016/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1016["System Network Configuration Discovery"] --> |may-invoke| GetSystemNetworkConfigValue["Get System Network Config Value"]; class T1016 OffensiveTechniqueNode;
class GetSystemNetworkConfigValue ArtifactNode; click GetSystemNetworkConfigValue href "/dao/artifact/d3f:GetSystemNetworkConfigValue";
click T1016 href "/offensive-technique/attack/T1016/"; click GetSystemNetworkConfigValue href "/dao/artifact/d3f:GetSystemNetworkConfigValue"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | GetSystemNetworkConfigValue["Get System Network Config Value"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class GetSystemNetworkConfigValue ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1016["System Network Configuration Discovery"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1016["System Network Configuration Discovery"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1016["System Network Configuration Discovery"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; SystemCallFiltering["System Call Filtering"] -->
| filters | GetSystemNetworkConfigValue["Get System Network Config Value"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class GetSystemNetworkConfigValue ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1016["System Network Configuration Discovery"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1016["System Network Configuration Discovery"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1016["System Network Configuration Discovery"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";