Detect Remote System Discovery in Elastic Security
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Common methods include net view, ping sweeps, ARP cache enumeration, NBT/NetBIOS scanning, and third-party tools such as Nmap, MASSCAN, NBTscan, and Angry IP Scanner. Adversaries may also read local host files (C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or query Active Directory for computer objects. On ESXi hosts, esxcli commands may be used to enumerate network peers.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1018 Remote System Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1018/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start" and (
process.name in~ ("net.exe", "net1.exe", "ping.exe", "arp.exe", "nbtstat.exe", "nltest.exe", "nmap", "masscan", "nbtscan", "ipscan") or
(
process.name in~ ("powershell.exe", "pwsh.exe") and (
process.args : ("Get-ADComputer", "Get-NetComputer", "Invoke-Portscan", "Test-Connection", "Test-NetConnection", "NetworkInformation.Ping", "Resolve-DnsName", "[Net.Dns]::GetHostEntry") or
process.command_line : ("*ping -n 1*", "*for /l*", "*1..254*")
)
) or
(
process.command_line : ("*net view*", "*net1 view*", "*nltest*/dclist*", "*nltest*/dsgetdc*", "*nltest*/domain_trusts*", "*arp -a*", "*arp /a*", "*nbtstat -A*", "*nbtstat -a*", "*nbtstat -n*", "*nbtstat -S*")
)
)]
| where not process.parent.name in~ ("services.exe", "msiexec.exe", "sccm.exe", "ccmexec.exe")
| eval discovery_type = case(
process.command_line : ("*net view*", "*net1 view*"), "NetView",
process.command_line : ("*nltest*"), "DomainDiscovery",
process.command_line : ("*arp -a*", "*arp /a*"), "ARPCache",
process.command_line : ("*nbtstat*"), "NetBIOS",
process.command_line : ("*ping*-n 1*", "*masscan*", "*nbtscan*"), "PingSweep",
process.name in~ ("nmap", "masscan", "nbtscan", "ipscan"), "ExternalScanner",
process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : ("*Get-ADComputer*", "*Get-NetComputer*"), "ADComputerEnum",
process.name in~ ("powershell.exe", "pwsh.exe") and process.command_line : ("*Test-Connection*", "*NetworkInformation.Ping*"), "PSPingSweep",
"Other"
)
| keep @timestamp, host.name, user.name, process.name, process.command_line, process.parent.name, process.pid, discovery_typeDetects Remote System Discovery (T1018) via process execution of known network enumeration tools, PowerShell-based ping sweeps and AD computer enumeration, and suspicious command patterns including net view, nltest, arp, nbtstat, and external scanners. Uses ECS process fields and sequences events per host.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators running network inventory or asset discovery tools (e.g., Nmap, Angry IP Scanner) during authorized scans
- Domain controllers and management systems running nltest, net view, or Get-ADComputer as part of routine health checks or Group Policy processing
- Software deployment tools (SCCM, Ansible, Chef) enumerating hosts for patch management or configuration management operations
Other platforms for T1018
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Net View Domain Enumeration
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine='net view /domain' and then 'net view'. Security Event ID 4688 (if command-line auditing enabled). Sysmon Event ID 3 may show NetBIOS/SMB connections to contacted hosts on port 137/445.
- Test 2Ping Sweep of Local Subnet
Expected signal: Up to 254 Sysmon Event ID 1 events for ping.exe, each with a different target IP in CommandLine. Sysmon Event ID 11 for file creation of df00tech-sweep.txt. Network ICMP traffic visible in NetFlow/packet capture. File creation in TEMP directory.
- Test 3PowerShell Get-ADComputer Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ADComputer'. PowerShell ScriptBlock Log Event ID 4104 with full script. LDAP traffic from the host to domain controller on port 389/636. Sysmon Event ID 11 for CSV file creation in TEMP directory.
- Test 4ARP Cache Enumeration
Expected signal: Sysmon Event ID 1: arp.exe with CommandLine='arp -a'. Security Event ID 4688 (if command-line auditing enabled). No network events generated — this is a purely local operation. Sysmon Event ID 11 for file creation of df00tech-arp.txt.
- Test 5NLTest Domain Trust and DC Discovery
Expected signal: Sysmon Event ID 1: nltest.exe with CommandLine containing '/dclist:' and '/domain_trusts'. Security Event ID 4688 (if command-line auditing enabled). DNS queries for _ldap._tcp.dc._msdcs.<domain> visible in DNS logs.
References (9)
- https://attack.mitre.org/techniques/T1018/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-adsb-espionage/
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nltest
Unlock Pro Content
Get the full detection package for T1018 including response playbook, investigation guide, and atomic red team tests.