Remote System Discovery (T1018) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for SIEM, Firewall events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifiers on a network that may be used for lateral movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view to gain information about remote systems. After compromising an initial host, attackers systematically enumerate the internal network to identify additional targets, understand network topology, and prioritize hosts for further compromise. Active Directory queries provide a comprehensive listing of all domain-joined systems including their names, IP addresses, operating systems, and physical locations. Passive discovery techniques including analysis of ARP caches, broadcast traffic monitoring, and DNS zone transfers allow attackers to map the network without generating the scanning traffic that triggers network intrusion detection systems.
“Remote System Discovery is documented as technique T1018 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into SIEM, Firewall telemetry.”
The following detection strategies help SOC analysts identify Remote System Discovery activity. These methods apply across SIEM, Firewall environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for execution of network discovery commands including ping sweep scripts, net view, nbtstat -A, and arp -a from workstations and servers that do not have administrative or network management roles.
Alert on Active Directory LDAP queries retrieving computer objects, particularly queries requesting all computer accounts or filtering for specific operating systems that attackers target for exploitation.
Detect ICMP sweep activity through NetFlow analysis, alerting on hosts generating ICMP echo requests to sequential IP ranges that extend beyond their normal communication partners within the environment.
Monitor DNS queries for reverse lookups against large IP ranges, which attackers use to enumerate hostnames associated with discovered IP addresses as a passive alternative to active scanning.
Track ARP cache reads from automation tools and scripts, as commands like arp -a provide a ready-made list of recently contacted hosts on the local network segment without generating additional network traffic.
These realistic alert examples show what Remote System Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
ICMP echo request flood detected from workstation WS-ACCT-011: 4,096 ping requests to the 10.10.0.0/20 internal subnet within 90 seconds. The workstation has an accounting function and should not be performing network discovery. The sweep received responses from 847 live hosts, providing the attacker with a comprehensive map of active systems on the internal network as a foundation for targeted lateral movement.
LDAP query analysis detected workstation WS-SALES-033 querying Active Directory for all computer objects with their associated attributes including operating system version, last logon time, and organizational unit. Retrieval of all 3,847 computer accounts in a single query from a sales workstation with no IT function is consistent with post-compromise environment mapping to identify high-value targets such as servers running outdated operating systems.
Process execution detected: net view /domain executed followed by net view \\FILESERVER-01 and net view \\DC-PRIMARY to enumerate shares and sessions on discovered hosts. These commands provide information about network resources and currently authenticated users that helps attackers identify active sessions to hijack and file shares containing data worth exfiltrating. The commands were run by a standard user account with no administrative responsibilities.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Remote System Discovery. Build detection skills with zero consequences — free forever.
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossaryNetwork Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more