Skip to content

DET0574 Detection Strategy for Remote System Enumeration Behavior

Item Value
ID DET0574
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1018 (Remote System Discovery)

Analytics

Windows

AN1583

Execution of network enumeration utilities (e.g., net.exe, ping.exe, tracert.exe) in short succession, often chained with lateral movement tools or system enumeration commands.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Define bursty execution patterns of enumeration commands (e.g., <30s)
CommandLinePattern Tunable per org’s scripting/IT tools (e.g., exclude SCCM, PsExec)
ParentProcess Flag suspicious process ancestry (e.g., Word.exe spawning net.exe)

Linux

AN1584

Use of bash scripts or interactive shells to issue sequential ping, arp, or traceroute commands to map remote hosts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE execve
Network Connection Creation (DC0082) linux:syslog network
Mutable Elements
Field Description
TargetIPRange Tune for sensitive internal segments or known lateral targets
ShellContext Distinguish user-interactive enumeration vs. cronjob or baseline tooling

macOS

AN1585

Execution of built-in or AppleScript-based system enumeration via arp, netstat, ping, and discovery of /etc/hosts contents.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process
File Access (DC0055) macos:osquery file_events
Mutable Elements
Field Description
ExecutionUser Limit detection to suspicious users or automation contexts
CommandSignature Adapt for expected enumeration tooling used in IT

ESXi

AN1586

ESXi shell or SSH access issuing esxcli network diag ping or viewing routing tables to identify connected hosts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd None
Mutable Elements
Field Description
ESXCommandPattern Match specific diag/debug commands abused for recon
RemoteUserShell Detect unauthorized shell use or user context (e.g., root over SSH)

Network Devices

AN1587

Execution of discovery commands like show cdp neighbors, show arp, and other interface-level introspection on Cisco or Juniper devices.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:syslog syslog facility LOCAL7 or trap messages
Mutable Elements
Field Description
CommandList Device-specific recon commands to monitor based on make/model
PrivLevel Trigger detection for privilege escalation prior to recon commands