Detect Remote System Discovery in Splunk
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Common methods include net view, ping sweeps, ARP cache enumeration, NBT/NetBIOS scanning, and third-party tools such as Nmap, MASSCAN, NBTscan, and Angry IP Scanner. Adversaries may also read local host files (C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or query Active Directory for computer objects. On ESXi hosts, esxcli commands may be used to enumerate network peers.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1018 Remote System Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1018/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageBasename=mvindex(split(Image, "\\"), -1)
// Score network discovery indicators
| eval NetView=if(match(CommandLineLower, "net\s+view|net1\s+view"), 1, 0)
| eval NLTest=if(match(CommandLineLower, "nltest.*(/dclist|/dsgetdc|/domain_trusts|/server)"), 1, 0)
| eval ARPEnum=if(match(CommandLineLower, "arp\s+(-a|/a)"), 1, 0)
| eval NBTStat=if(match(CommandLineLower, "nbtstat\s+(-a|-A|-n|-S)"), 1, 0)
| eval PingSweep=if(match(CommandLineLower, "ping.*-n\s+1|for\s+/l.*ping|ping.*255\.255|masscan|nbtscan"), 1, 0)
| eval PSDiscovery=if(match(CommandLineLower, "get-adcomputer|get-netcomputer|test-connection|test-netconnection|invoke-portscan|networkInformation\.ping|\[net\.dns\]"), 1, 0)
| eval ExternalScanner=if(match(ImageBasename, "nmap\.exe|masscan\.exe|nbtscan\.exe|ipscan\.exe|angryip"), 1, 0)
| eval SuspicionScore=NetView + NLTest + ARPEnum + NBTStat + PingSweep + PSDiscovery + ExternalScanner
| where SuspicionScore > 0
| eval DiscoveryType=case(
NetView=1, "NetView",
NLTest=1, "DomainDiscovery",
ARPEnum=1, "ARPCache",
NBTStat=1, "NetBIOS",
PingSweep=1, "PingSweep",
PSDiscovery=1, "PSNetworkDiscovery",
ExternalScanner=1, "ExternalScanner",
true(), "Other"
)
| table _time, host, User, ImageBasename, CommandLine, ParentImage, DiscoveryType, SuspicionScore, NetView, NLTest, ARPEnum, NBTStat, PingSweep, PSDiscovery, ExternalScanner
| sort - _timeDetects remote system discovery using Sysmon Event ID 1 (Process Create) and Security Event ID 4688 (Process Creation with command line auditing). Evaluates seven discovery method categories and applies a cumulative suspicion score. Covers net view/net1 view domain enumeration, nltest domain trust discovery, ARP cache reading, NetBIOS scanning, ping sweeps, PowerShell-based AD and network enumeration, and external scanning tools like Nmap and MASSCAN.
Data Sources
Required Sourcetypes
False Positives & Tuning
- IT helpdesk and system administrators running net view or ping sweeps for legitimate troubleshooting
- Network monitoring tools (PRTG, SolarWinds, Nagios, Zabbix) that periodically ping or enumerate hosts
- Software deployment systems (SCCM, Ansible, Puppet) that query AD for computer objects via Get-ADComputer
- Vulnerability scanning tools (Tenable Nessus, Qualys, Rapid7) running credentialed scans from authorised scanner hosts
- Domain controllers running nltest for replication health checks
Other platforms for T1018
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Net View Domain Enumeration
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine='net view /domain' and then 'net view'. Security Event ID 4688 (if command-line auditing enabled). Sysmon Event ID 3 may show NetBIOS/SMB connections to contacted hosts on port 137/445.
- Test 2Ping Sweep of Local Subnet
Expected signal: Up to 254 Sysmon Event ID 1 events for ping.exe, each with a different target IP in CommandLine. Sysmon Event ID 11 for file creation of df00tech-sweep.txt. Network ICMP traffic visible in NetFlow/packet capture. File creation in TEMP directory.
- Test 3PowerShell Get-ADComputer Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ADComputer'. PowerShell ScriptBlock Log Event ID 4104 with full script. LDAP traffic from the host to domain controller on port 389/636. Sysmon Event ID 11 for CSV file creation in TEMP directory.
- Test 4ARP Cache Enumeration
Expected signal: Sysmon Event ID 1: arp.exe with CommandLine='arp -a'. Security Event ID 4688 (if command-line auditing enabled). No network events generated — this is a purely local operation. Sysmon Event ID 11 for file creation of df00tech-arp.txt.
- Test 5NLTest Domain Trust and DC Discovery
Expected signal: Sysmon Event ID 1: nltest.exe with CommandLine containing '/dclist:' and '/domain_trusts'. Security Event ID 4688 (if command-line auditing enabled). DNS queries for _ldap._tcp.dc._msdcs.<domain> visible in DNS logs.
References (9)
- https://attack.mitre.org/techniques/T1018/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-adsb-espionage/
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nltest
Unlock Pro Content
Get the full detection package for T1018 including response playbook, investigation guide, and atomic red team tests.