T1016

System Network Configuration Discovery

System Network Configuration Discovery (T1016) is a MITRE ATT&CK technique associated with Discovery . Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of rem…

Technique ID: T1016
Difficulty: Intermediate
Tactics: Discovery
Platforms: ESXiLinuxmacOSNetwork DevicesWindows

Executive Summary

System Network Configuration Discovery (T1016) is a MITRE ATT&CK technique associated with Discovery. Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.

Why Attackers Use It

Attackers use System Network Configuration Discovery because it provides a reliable way to advance their objective within the Discovery tactic, often with a favorable balance of impact versus detectability on ESXi, Linux, macOS, Network Devices, Windows environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.

MITRE Description

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command esxcli network nic list will retrieve the MAC address, while esxcli network ip interface ipv4 get will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes System Network Configuration Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

No universal command represents System Network Configuration Discovery. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.

Splunk Queries

Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.

Investigation Workflow

Confirm that the observed behavior is consistent with System Network Configuration Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1007
T1016.001
T1016.002
T1018
T1021.002
T1025
T1027
T1027.002
T1027.003
T1027.005
T1027.009
T1029
T1033
T1037.004
T1040
T1046
T1047
T1048
T1048.003
T1049
T1052.001
T1053.003
T1055.001
T1055.003
T1055.012
T1057
T1059.003
T1069
T1069.001
T1069.002
T1070
T1070.003
T1070.007
T1071
T1071.001
T1074
T1082
T1083
T1087
T1087.001
T1087.002
T1090.001
T1090.002
T1090.003
T1091
T1102.002
T1105
T1110
T1110.001
T1111
T1114.002
T1124
T1127.001
T1132.001
T1134
T1134.004
T1135
T1137.006
T1140
T1201
T1205
T1205.001
T1210
T1218.005
T1218.010
T1220
T1480.001
T1482
T1485
T1496.001
T1497.002
T1518
T1546.004
T1546.010
T1546.012
T1547
T1547.009
T1552.001
T1552.002
T1554
T1560
T1560.002
T1560.003
T1564.004
T1564.011
T1567
T1573.001
T1573.002
T1574
T1584.001
T1584.008
T1585.002
T1598
T1598.002
T1598.003
T1614
T1615
T1680

T1001Data Obfuscation T1001.001Junk Data T1001.002Steganography T1001.003Protocol or Service Impersonation T1007System Service Discovery T1016.001Internet Connection Discovery T1016.002Wi-Fi Discovery T1018Remote System Discovery T1021.002SMB/Windows Admin Shares T1025Data from Removable Media T1027Obfuscated Files or Information T1027.002Software Packing T1027.003Steganography T1027.005Indicator Removal from Tools T1027.009Embedded Payloads T1029Scheduled Transfer T1033System Owner/User Discovery T1037.004RC Scripts T1040Network Sniffing T1046Network Service Discovery T1047Windows Management Instrumentation T1048Exfiltration Over Alternative Protocol T1048.003Exfiltration Over Unencrypted Non-C2 Protocol T1049System Network Connections Discovery T1052.001Exfiltration over USB T1053.003Cron T1055.001Dynamic-link Library Injection T1055.003Thread Execution Hijacking T1055.012Process Hollowing T1057Process Discovery T1059.003Windows Command Shell T1069Permission Groups Discovery T1069.001Local Groups T1069.002Domain Groups T1070Indicator Removal T1070.003Clear Command History T1070.007Clear Network Connection History and Configurations T1071Application Layer Protocol T1071.001Web Protocols T1074Data Staged T1082System Information Discovery T1083File and Directory Discovery T1087Account Discovery T1087.001Local Account T1087.002Domain Account T1090.001Internal Proxy T1090.002External Proxy T1090.003Multi-hop Proxy T1091Replication Through Removable Media T1102.002Bidirectional Communication T1105Ingress Tool Transfer T1110Brute Force T1110.001Password Guessing T1111Multi-Factor Authentication Interception T1114.002Remote Email Collection T1124System Time Discovery T1127.001MSBuild T1132.001Standard Encoding T1134Access Token Manipulation T1134.004Parent PID Spoofing T1135Network Share Discovery T1137.006Add-ins T1140Deobfuscate/Decode Files or Information T1201Password Policy Discovery T1205Traffic Signaling T1205.001Port Knocking T1210Exploitation of Remote Services T1218.005Mshta T1218.010Regsvr32 T1220XSL Script Processing T1480.001Environmental Keying T1482Domain Trust Discovery T1485Data Destruction T1496.001Compute Hijacking T1497.002User Activity Based Checks T1518Software Discovery T1546.004Unix Shell Configuration Modification T1546.010AppInit DLLs T1546.012Image File Execution Options Injection T1547Boot or Logon Autostart Execution T1547.009Shortcut Modification T1552.001Credentials In Files T1552.002Credentials in Registry T1554Compromise Host Software Binary T1560Archive Collected Data T1560.002Archive via Library T1560.003Archive via Custom Method T1564.004NTFS File Attributes T1564.011Ignore Process Interrupts T1567Exfiltration Over Web Service T1573.001Symmetric Cryptography T1573.002Asymmetric Cryptography T1574Hijack Execution Flow T1584.001Domains T1584.008Network Devices T1585.002Email Accounts T1598Phishing for Information T1598.002Spearphishing Attachment T1598.003Spearphishing Link T1614System Location Discovery T1615Group Policy Discovery T1680Local Storage Discovery

Loading AttackTrace...

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Attacker gains the prerequisite access or context described below.
Attacker executes System Network Configuration Discovery to achieve its tactical objective (Discovery).
Resulting access/data/effect is leveraged to advance the broader attack chain (see Related Techniques).

Prerequisites

Platform(s): ESXi, Linux, macOS, Network Devices, Windows
ATT&CK does not define one universal permission requirement for this technique. Establish the required access from the observed implementation and affected platform.

Common Tools

Tool attribution is implementation-specific. Use ATT&CK procedure examples and local telemetry to identify the binaries, services, scripts, accounts, or cloud resources involved.

Commands

Network Traffic

Network observability is implementation-dependent. Review DNS, proxy, firewall, flow, authentication, and packet telemetry around the activity window, then correlate remote endpoints and protocol behavior with host evidence.

Windows Events

Event ID	Log Channel	What It Indicates
Environment-specific	Relevant Windows channel(s)	Correlate authentication, process, object-access, and configuration events with the observed execution context.

Sysmon Events

Sysmon Event ID	Name	Why It's Relevant Here
Environment-specific	Validate configured telemetry	Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled.

Detection Opportunities

No MITRE detection guidance published for this technique.

Relevant ATT&CK Data Sources: N/A

Sigma Rules

Splunk Queries

Investigation Workflow

Confirm that the observed behavior is consistent with System Network Configuration Discovery and rule out expected administrative or application activity.
Establish the first-seen time, initiating identity, source system, target system, and affected resources.
Collect relevant host, identity, network, cloud, and application telemetry for the surrounding time window.
Correlate parent and child activity, remote connections, file or configuration changes, and related ATT&CK techniques.
Determine scope by searching for the same observable across peer assets and identities.
Preserve volatile evidence and record confidence, assumptions, and telemetry gaps before containment.

Containment

Isolate affected host(s)/account(s) identified during investigation.
Revoke or rotate any credentials/tokens potentially exposed.
Apply the mitigations listed below where not already enforced.
Validate no related techniques (see Related Techniques) were chained against the same asset.

Mitigation

No MITRE mitigations mapped to this technique.

Related Techniques

T1001
T1001.001
T1001.002
T1001.003
T1007
T1016.001
T1016.002
T1018
T1021.002
T1025
T1027
T1027.002
T1027.003
T1027.005
T1027.009
T1029
T1033
T1037.004
T1040
T1046
T1047
T1048
T1048.003
T1049
T1052.001
T1053.003
T1055.001
T1055.003
T1055.012
T1057
T1059.003
T1069
T1069.001
T1069.002
T1070
T1070.003
T1070.007
T1071
T1071.001
T1074
T1082
T1083
T1087
T1087.001
T1087.002
T1090.001
T1090.002
T1090.003
T1091
T1102.002
T1105
T1110
T1110.001
T1111
T1114.002
T1124
T1127.001
T1132.001
T1134
T1134.004
T1135
T1137.006
T1140
T1201
T1205
T1205.001
T1210
T1218.005
T1218.010
T1220
T1480.001
T1482
T1485
T1496.001
T1497.002
T1518
T1546.004
T1546.010
T1546.012
T1547
T1547.009
T1552.001
T1552.002
T1554
T1560
T1560.002
T1560.003
T1564.004
T1564.011
T1567
T1573.001
T1573.002
T1574
T1584.001
T1584.008
T1585.002
T1598
T1598.002
T1598.003
T1614
T1615
T1680

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques

Executive Summary

Why Attackers Use It

MITRE Description

Attack Flow

Prerequisites

Common Tools

Commands

Network Traffic

Windows Events

Sysmon Events

Detection Opportunities

Sigma Rules

Splunk Queries

Investigation Workflow

Containment

Mitigation

Related Techniques

Related techniques