Esc
Remote System Discovery - T1018
(ATT&CK® Technique)
Definition
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1018["Remote System Discovery"] --> |produces| NetworkTraffic["Network Traffic"]; class T1018 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1018 href "/offensive-technique/attack/T1018/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1018["Remote System Discovery"] --> |may-invoke| CreateProcess["Create Process"]; class T1018 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1018 href "/offensive-technique/attack/T1018/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1018["Remote System Discovery"] --> |may-invoke| CreateSocket["Create Socket"]; class T1018 OffensiveTechniqueNode;
class CreateSocket ArtifactNode; click CreateSocket href "/dao/artifact/d3f:CreateSocket";
click T1018 href "/offensive-technique/attack/T1018/"; click CreateSocket href "/dao/artifact/d3f:CreateSocket"; T1018["Remote System Discovery"] --> |may-access| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1018 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1018 href "/offensive-technique/attack/T1018/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1018["Remote System Discovery"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEviction["File Eviction"] -.->
| may-evict | T1018["Remote System Discovery"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateSocket["Create Socket"];
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateSocket ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1018["Remote System Discovery"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1018["Remote System Discovery"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateSocket["Create Socket"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateSocket ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1018["Remote System Discovery"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1018["Remote System Discovery"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";