Detect Remote System Discovery in Sumo Logic CSE
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Common methods include net view, ping sweeps, ARP cache enumeration, NBT/NetBIOS scanning, and third-party tools such as Nmap, MASSCAN, NBTscan, and Angry IP Scanner. Adversaries may also read local host files (C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or query Active Directory for computer objects. On ESXi hosts, esxcli commands may be used to enumerate network peers.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1018 Remote System Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1018/
Sumo Detection Query
_sourceCategory=windows* (sysmon OR wineventlog OR winlog)
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as command_line nodrop
| parse field=NewProcessName "*" as process_path nodrop
| parse field=Image "*" as image_path nodrop
| eval process_path = if(isNull(process_path), image_path, process_path)
| eval command_lower = toLowerCase(command_line)
// Extract basename
| parse regex field=process_path "(?:[/\\\\])(?P<process_name>[^/\\\\]+)$" nodrop
// Score discovery indicators
| eval net_view = if(matches(command_lower, ".*net\s+view.*|.*net1\s+view.*"), 1, 0)
| eval nltest = if(matches(command_lower, ".*nltest.*(dclist|dsgetdc|domain_trusts|server).*"), 1, 0)
| eval arp_enum = if(matches(command_lower, ".*arp\s+(-a|/a).*"), 1, 0)
| eval nbtstat = if(matches(command_lower, ".*nbtstat\s+(-a|-A|-n|-S).*"), 1, 0)
| eval ping_sweep = if(matches(command_lower, ".*ping.*-n\s+1.*|.*for\s+/l.*ping.*|.*masscan.*|.*nbtscan.*"), 1, 0)
| eval ps_discovery = if(matches(command_lower, ".*(get-adcomputer|get-netcomputer|test-connection|test-netconnection|invoke-portscan|networkInformation\.ping|\[net\.dns\]).*"), 1, 0)
| eval ext_scanner = if(matches(toLowerCase(process_name), ".*(nmap|masscan|nbtscan|ipscan|angryip).*"), 1, 0)
| eval suspicion_score = net_view + nltest + arp_enum + nbtstat + ping_sweep + ps_discovery + ext_scanner
| where suspicion_score > 0
| eval discovery_type = if(net_view=1, "NetView",
if(nltest=1, "DomainDiscovery",
if(arp_enum=1, "ARPCache",
if(nbtstat=1, "NetBIOS",
if(ping_sweep=1, "PingSweep",
if(ps_discovery=1, "PSNetworkDiscovery",
if(ext_scanner=1, "ExternalScanner", "Other")))))))
| where process_name != "svchost.exe" and process_name != "MsMpEng.exe"
| fields _messageTime, Computer, User, process_name, command_line, ParentImage, discovery_type, suspicion_score, net_view, nltest, arp_enum, nbtstat, ping_sweep, ps_discovery, ext_scanner
| sort by _messageTime descDetects Remote System Discovery (T1018) in Sumo Logic by parsing Windows Security and Sysmon process creation events. Applies indicator scoring across seven discovery categories including net view, nltest domain enumeration, ARP cache dump, NetBIOS scanning, ping sweeps, PowerShell-based discovery, and external scanners.
Data Sources
Required Tables
False Positives & Tuning
- Help desk staff using ARP or ping commands during network troubleshooting sessions on managed endpoints
- Enterprise monitoring systems (Lansweeper, Spiceworks) that periodically run net view or ARP enumeration to maintain asset inventories
- PowerShell-based automation scripts used by sysadmins to query Active Directory for computer objects during regular operations
Other platforms for T1018
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Net View Domain Enumeration
Expected signal: Sysmon Event ID 1: Process Create for net.exe with CommandLine='net view /domain' and then 'net view'. Security Event ID 4688 (if command-line auditing enabled). Sysmon Event ID 3 may show NetBIOS/SMB connections to contacted hosts on port 137/445.
- Test 2Ping Sweep of Local Subnet
Expected signal: Up to 254 Sysmon Event ID 1 events for ping.exe, each with a different target IP in CommandLine. Sysmon Event ID 11 for file creation of df00tech-sweep.txt. Network ICMP traffic visible in NetFlow/packet capture. File creation in TEMP directory.
- Test 3PowerShell Get-ADComputer Enumeration
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Get-ADComputer'. PowerShell ScriptBlock Log Event ID 4104 with full script. LDAP traffic from the host to domain controller on port 389/636. Sysmon Event ID 11 for CSV file creation in TEMP directory.
- Test 4ARP Cache Enumeration
Expected signal: Sysmon Event ID 1: arp.exe with CommandLine='arp -a'. Security Event ID 4688 (if command-line auditing enabled). No network events generated — this is a purely local operation. Sysmon Event ID 11 for file creation of df00tech-arp.txt.
- Test 5NLTest Domain Trust and DC Discovery
Expected signal: Sysmon Event ID 1: nltest.exe with CommandLine containing '/dclist:' and '/domain_trusts'. Security Event ID 4688 (if command-line auditing enabled). DNS queries for _ldap._tcp.dc._msdcs.<domain> visible in DNS logs.
References (9)
- https://attack.mitre.org/techniques/T1018/
- https://us-cert.cisa.gov/ncas/alerts/TA18-106A
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-adsb-espionage/
- https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nltest
Unlock Pro Content
Get the full detection package for T1018 including response playbook, investigation guide, and atomic red team tests.