T1018Discovery

Remote System Discovery

Find other hosts on the network.

§ Where this technique fits

T1018 is catalogued under the Discovery tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 1.3 on average.

Authoritative reference: attack.mitre.org/techniques/T1018/.

§ Dossiers chaining this technique

No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
step 1 / 8
ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
step 1 / 5
DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
step 2 / 5

§ What commonly comes next

01
DNS Tunneling Exfil (iodine / dnscat2)
DNS-TUNNEL-EXFIL · Exfiltration
seen 1×
02
LLMNR/NBT-NS Poisoning and SMB Relay
T1557.001 · Credential Access
seen 1×
03
ZeroLogon (CVE-2020-1472)
AD-ZL · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

No creds → Domain Admin via LLMNR poisoning and NTLM relay

ZeroLogon (CVE-2020-1472) → Domain takeover

DNS tunnel exfiltration in restricted egress

§ What commonly comes next