System Network Configuration Discovery

Sub-techniques (2)

ID	Name
T1016.001	Internet Connection Discovery
T1016.002	Wi-Fi Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. show ip route, show ip interface).^[1]^[2] On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command esxcli network nic list will retrieve the MAC address, while esxcli network ip interface ipv4 get will retrieve the local IPv4 address.^[3]

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

ID: T1016

Sub-techniques: T1016.001, T1016.002

ⓘ

Tactic: Discovery

ⓘ

Platforms: ESXi, Linux, Network Devices, Windows, macOS

Contributors: Austin Clark, @c2defense

Version: 1.7

Created: 31 May 2017

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S1028	Action RAT	Action RAT has the ability to collect the MAC address of an infected host.^[4]
S0552	AdFind	AdFind can extract subnet information from Active Directory.^[5]^[6]^[7]
G0018	admin@338	admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: `ipconfig /all >> %temp%\download`^[8]
S0331	Agent Tesla	Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.^[9]^[10]
S0092	Agent.btz	Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.^[11]
S1025	Amadey	Amadey can identify the IP address of a victim machine.^[12]
S0504	Anchor	Anchor can determine the public IP and location of a compromised host.^[13]
S0622	AppleSeed	AppleSeed can identify the IP of a targeted system.^[14]
G0006	APT1	APT1 used the `ipconfig /all` command to gather network configuration information.^[15]
G0073	APT19	APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.^[16]
G0022	APT3	A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.^[17]^[18]
G0050	APT32	APT32 used the `ipconfig /all` command to gather the IP address from the system.^[19]
G0096	APT41	APT41 collected MAC addresses from victim machines.^[20]^[21]
G1044	APT42	APT42 has used malware, such as GHAMBAR and POWERPOST, to collect network information.^[22]
S0456	Aria-body	Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.^[23]
S0099	Arp	Arp can be used to display ARP configuration information on the host.^[24]