T1016: System Network Configuration Discovery
| View on MITRE ATT&CK | T1016 |
|---|---|
| Tactic(s) | Discovery |
| Associated CAPEC Patterns | Network Topology Mapping (CAPEC-309) |
Data from MITRE ATT&CK®:
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.
Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )
Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
AA24-109A StopRansomware: Akira Ransomware
This is a joint #StopRansomware advisory issued by CISA and partners covering Akira ransomware attacks. According to the report, the group has ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
The Updated APT Playbook: Tales from the Kimsuky threat actor group
This article by researchers at Rapid7 discusses recent activity by North Korean intrusion set 'Kimsuky'. Kimsuky is primarily focused on ...
#StopRansomware: Play Ransomware
This is a Cybersecurity Advisory from CISA with US and international partners which outlines TTPs (tactics, techniques and procedures) and IoCs ...
StopRansomware: Rhysida Ransomware
This is a joint Cybersecurity Advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
This advisory from the US National Security Agency, CISA and various other agencies outlines tactics, techniques and procedures used by Volt ...
How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Script Execution (Script)
The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)OS API Execution (Process)
Operating system function/method calls executed by a processProcess Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.