T1018 — Remote System Discovery

Technique

T1018

Tactics

Discovery

MISP citations

0

KEV CVEs mapped

2

Community rules

17

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1018

MITRE description

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`. Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment. Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2025-0282
• CVE-2023-38035

Detection coverage

SigmaHQ community rules

• Net.EXE Execution (threat-hunting)
• Linux Remote System Discovery (core)
• Macos Remote System Discovery (core)
• Cisco Discovery (core)
• DirectorySearcher Powershell Exploitation (core)
• Active Directory Computers Enumeration With Get-AdComputer (core)
• Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock (core)
• HackTool - NetExec Execution (core)
• Share And Session Enumeration Using Net.EXE (core)
• Nltest.EXE Execution (core)
• PUA - AdFind Suspicious Execution (core)
• PUA - Adidnsdump Execution (core)
• Renamed AdFind Execution (core)
• Suspicious Scan Loop Network (core)
• Chopper Webshell Process Pattern (core)
• Webshell Hacking Activity Patterns (core)
• Webshell Detection With Command Line Keywords (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.