T1016 — System Network Configuration Discovery

Technique

T1016

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

1

Community rules

11

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1016

MITRE description

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024) Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-40449

Detection coverage

SigmaHQ community rules

• Potential Pikabot Discovery Activity (emerging-threats)
• Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet (threat-hunting)
• OpenCanary - SNMP OID Request (core)
• System Network Discovery - Linux (core)
• System Network Discovery - macOS (core)
• Cisco Discovery (core)
• Suspicious Network Connection to IP Lookup Service APIs (core)
• Firewall Configuration Discovery Via Netsh.EXE (core)
• Nltest.EXE Execution (core)
• Potential Recon Activity Via Nltest.EXE (core)
• Suspicious Network Command (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.