title: Remote System Discovery (T1018)
id: df00tech-t1018
status: experimental
description: "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Common methods include net view, ping sweeps, ARP cache enumeration, NBT/NetBIOS scanning, and third-party tools such as Nmap, MASSCAN, NBTscan, and Angry IP Scanner. Adversaries may also read local host files (C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) or query Active Directory for computer objects. On ESXi hosts, esxcli commands may be used to enumerate network peers."
references:
  - https://attack.mitre.org/techniques/T1018/
  - https://df00tech.com/detections/T1018
author: df00tech
date: 2026/04/16
tags:
  - attack.t1018
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT helpdesk and system administrators running net view or ping sweeps for legitimate troubleshooting
  - "Network monitoring tools (PRTG, SolarWinds, Nagios, Zabbix) that periodically ping or enumerate hosts"
  - "Software deployment systems (SCCM, Ansible, Puppet) that query AD for computer objects via Get-ADComputer"
  - "Vulnerability scanning tools (Tenable Nessus, Qualys, Rapid7) running credentialed scans from authorised scanner hosts"
  - Domain controllers running nltest for replication health checks
level: medium