Detect Remote System Discovery in CrowdStrike LogScale
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Common methods include net view, ping sweeps, ARP cache enumeration, NBT/NetBIOS scanning, and third-party tools such as Nmap, MASSCAN, NBTscan, and Angry IP Scanner. Adversaries may also read local host files (C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or query Active Directory for computer objects. On ESXi hosts, esxcli commands may be used to enumerate network peers.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1018 Remote System Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1018/
LogScale Detection Query
// T1018 - Remote System Discovery
// Branch 1: Known discovery tool execution and command patterns
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\|\/)(
nnet\.exe|
net1\.exe|
ping\.exe|
arp\.exe|
nbtstat\.exe|
nltest\.exe|
nmap(\.exe)?|
masscan(\.exe)?|
nbtscan(\.exe)?|
ipscan(\.exe)?
)$/
OR CommandLine = /(?i)(net[\s\t]+(view|group)|net1[\s\t]+view|nltest.*(dclist|dsgetdc|domain_trusts)|arp[\s\t]+(-a|\/a)|nbtstat[\s\t]+(-a|-A|-n|-S)|ping.*-n[\s\t]+1|masscan|nbtscan)/
OR (
ImageFileName = /(?i)(\\|\/)(powershell\.exe|pwsh\.exe)$/
AND CommandLine = /(?i)(Get-ADComputer|Get-NetComputer|Invoke-Portscan|Test-Connection|Test-NetConnection|NetworkInformation\.Ping|\[Net\.Dns\]|Resolve-DnsName)/
)
// Compute indicator flags
| NetView := if(CommandLine = /(?i)net[\s\t]+(view|group)|net1[\s\t]+view/, 1, 0)
| NLTest := if(CommandLine = /(?i)nltest.*(dclist|dsgetdc|domain_trusts)/, 1, 0)
| ARPEnum := if(CommandLine = /(?i)arp[\s\t]+(-a|\/a)/, 1, 0)
| NBTStat := if(CommandLine = /(?i)nbtstat[\s\t]+(-a|-A|-n|-S)/, 1, 0)
| PingSweep := if(CommandLine = /(?i)ping.*-n[\s\t]+1|masscan|nbtscan/, 1, 0)
| PSDiscovery := if(CommandLine = /(?i)(Get-ADComputer|Get-NetComputer|Invoke-Portscan|Test-Connection|NetworkInformation\.Ping)/, 1, 0)
| ExtScanner := if(ImageFileName = /(?i)(nmap|masscan|nbtscan|ipscan)(\.exe)?$/, 1, 0)
| SuspicionScore := NetView + NLTest + ARPEnum + NBTStat + PingSweep + PSDiscovery + ExtScanner
| where SuspicionScore > 0
| DiscoveryType := case(
NetView = 1, "NetView",
NLTest = 1, "DomainDiscovery",
ARPEnum = 1, "ARPCache",
NBTStat = 1, "NetBIOS",
PingSweep = 1, "PingSweep",
PSDiscovery = 1, "PSNetworkDiscovery",
ExtScanner = 1, "ExternalScanner",
"Other"
)
// Exclude known-benign processes
| ParentBaseImage := replace(".*[\\\\/]", "", ParentBaseFileName)
| where ParentBaseImage != /(?i)(services\.exe|msiexec\.exe|sccm\.exe|ccmexec\.exe)/
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DiscoveryType, SuspicionScore, NetView, NLTest, ARPEnum, NBTStat, PingSweep, PSDiscovery, ExtScanner])
| sort(field=@timestamp, order=desc)Detects Remote System Discovery (T1018) in CrowdStrike Falcon LogScale using ProcessRollup2 events. Evaluates process image name and command-line arguments against known enumeration tool names and suspicious patterns across seven discovery categories. Assigns a suspicion score and classifies by discovery type.
Data Sources
Required Tables
False Positives & Tuning
- Red team or penetration testing operators executing authorized discovery commands on target systems within engagement scope
- IT asset management tools (e.g., Spiceworks, Lansweeper, PDQ Inventory) that invoke net.exe, arp.exe, or ping.exe during scheduled scans
- Windows Remote Management and RMM tools (ConnectWise, Kaseya) running network diagnostics that include ping sweeps or ARP enumeration
Other platforms for T1018
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Net View Domain Enumeration
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine='net view /domain' and then 'net view'. Security Event ID 4688 (if command-line auditing enabled). Sysmon Event ID 3 may show NetBIOS/SMB connections to contacted hosts on port 137/445.
- Test 2Ping Sweep of Local Subnet
Expected signal: Up to 254 Sysmon Event ID 1 events for ping.exe, each with a different target IP in CommandLine. Sysmon Event ID 11 for file creation of df00tech-sweep.txt. Network ICMP traffic visible in NetFlow/packet capture. File creation in TEMP directory.
- Test 3PowerShell Get-ADComputer Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ADComputer'. PowerShell ScriptBlock Log Event ID 4104 with full script. LDAP traffic from the host to domain controller on port 389/636. Sysmon Event ID 11 for CSV file creation in TEMP directory.
- Test 4ARP Cache Enumeration
Expected signal: Sysmon Event ID 1: arp.exe with CommandLine='arp -a'. Security Event ID 4688 (if command-line auditing enabled). No network events generated — this is a purely local operation. Sysmon Event ID 11 for file creation of df00tech-arp.txt.
- Test 5NLTest Domain Trust and DC Discovery
Expected signal: Sysmon Event ID 1: nltest.exe with CommandLine containing '/dclist:' and '/domain_trusts'. Security Event ID 4688 (if command-line auditing enabled). DNS queries for _ldap._tcp.dc._msdcs.<domain> visible in DNS logs.
References (9)
- https://attack.mitre.org/techniques/T1018/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-adsb-espionage/
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nltest
Unlock Pro Content
Get the full detection package for T1018 including response playbook, investigation guide, and atomic red team tests.