Remote System Discovery T1018

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, net view using Net, or, on ESXi servers, `esxcli network diag ping`.

Events covered

12 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 66 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (27 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine28contains 19, match 4, regex_match 4, in 2, eq 1 oudmp , (?i)(objectcategory|trustdmp|member\s(.*)?-list), (?i)ping\s+-n\s1\s-w\s1\s(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-..., -sc u:, Domain Admins
EventID25eq 254104, 4688, 1, 4103
process_name21eq 15, match 3, wildcard 2, in 1dsquery.exe, powershell.exe, (?i)nslookup.exe, arp.exe, dsget.exe
OriginalFileName14eq 13, in 1net.exe, net1.exe, adfind.exe, dsquery.exe, nltestrk.exe
ScriptBlockText11contains 10, in 1, match 1get-domaincomputer, get-adcomputer, get-netcomputer, *findall()*, *findone()*
Type10eq 10
Image9ends_with 9\adfind.exe, \net.exe, \net1.exe, \cmd.exe, \dsquery.exe
event_count8gt 80, 100, 2
event.type7eq 7start
process.args5eq 3, contains 2, starts_with 1, wildcard 1(objectcategory=attributeschema), (objectcategory=computer), (objectcategory=group), -a, -n
ParentImage4contains 3, ends_with 3-tomcat-, \caddy.exe, \httpd.exe, \w3wp.exe, cmd.exe
event_type2in 2childproc, netconn, proc
parent_process_name2eq 1, in 1cmd.exe, powershell.exe, pwsh.exe, wmiprvse.exe
sha2562eq 2c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
ActingProcessFileName1in 1cmd.exe, powershell.exe, pwsh.exe

Top indicator values (384 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
4104
12268
EventIDeq
4688
8312
EventIDeq
1
4232
EventIDeq
4103
4105
event.typeeq
start
7241
OriginalFileNameeq
net.exe
527
OriginalFileNameeq
net1.exe
543
OriginalFileNameeq
adfind.exe
34
event_countgt
0
44
process_nameeq
dsquery.exe
412
process_nameeq
nltest.exe
410
process_nameeq
powershell.exe
499
process_nameeq
net.exe
320
process_nameeq
net1.exe
334
CommandLinecontains
objectcategory=
33
CommandLinecontains
-w hidden
25
CommandLinecontains
oudmp
22
CommandLinecontains
user
23
CommandLinecontains
&cd&echo
22
CommandLinecontains
-sc u:
22
CommandLinecontains
-subnets -f
22
CommandLinecontains
adinfo
22
CommandLinecontains
catalina.jar
23
CommandLinecontains
catalina_home
23
CommandLinecontains
computer_pwdnotreqd
22
CommandLinecontains
computers_active
22
CommandLinecontains
computers_pwdnotreqd
22
CommandLinecontains
dcmodes
22
ParentImageends_with
\w3wp.exe
312
ScriptBlockTextcontains
get-domaincomputer
33

Exclusions (25 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
user.idin
S-1-5-18
2
user.idin
S-1-5-19
2
user.idin
S-1-5-20
2
CommandLinecontains
\\\\
1
CommandLineeq
net view \\localhost
1
Imageends_with
\adfind.exe
1
Imagewildcard
?:\program files\microsoft monitoring agent\*.exe
1
Imagewildcard
?:\program files\powershell\?\pwsh.exe
1
Imagewildcard
?:\windows\adws\microsoft.activedirectory.webservices.exe
1
Imagewildcard
?:\windows\system32\dsac.exe
1
Imagewildcard
?:\windows\system32\windowspowershell\*.exe
1
Imagewildcard
?:\windows\syswow64\windowspowershell\*.exe
1
ParentImageeq
?:\program files (x86)\citrix\workspace environment management...
1
ParentImageeq
?:\program files (x86)\lansweeper\service\lansweeperservice.exe
1
ParentImageeq
?:\programdata\centrastage\aemagent\aemagent.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 15 rules

Elastic 8 rules

Splunk 40 rules

Kusto 3 rules