This note documents detection patterns related to Network Enumeration within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects network discovery commands and scanners. |
| Sysmon | 1 | Process creation | Critical | Best execution source for enumeration tooling and lineage. |
| Sysmon | 3 | Network connection | Critical | Outbound probes, SMB touches, and scan traffic. |
| Sysmon | 22 | DNS query | High | Name resolution during host discovery. |
| PowerShell | 4104 | Script block logging | Critical | Captures PowerShell-based network discovery. |
| Security | 5156 | Allowed connection | High | Native connection visibility. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Burst of host probes | Ping, SMB, RPC, WinRM attempts | Critical | Classic network recon. |
| Internal subnet sweep | Sequential IP touches | Critical | Strong attacker pattern. |
| AD infra discovery | DC, file server, SQL host targeting | High | Environment mapping. |
| DNS burst for many hosts | Large internal name resolution | High | Recon precursor. |
| Port checks from workstation | Multiple destination ports | Critical | Scan behavior. |
| Rare admin tools | nltest, net view, arp, route | High | Valuable context. |
Common Tools
| Tool | Usage |
|---|---|
| ping.exe | Host discovery |
| arp.exe | Neighbor discovery |
| net.exe | Share / host enumeration |
| nltest.exe | Domain infrastructure discovery |
| route.exe | Routing visibility |
| tracert.exe | Path discovery |
| PowerShell | Test-NetConnection / scripted sweeps |
| nmap.exe | Full scanning |
Relevant Artifacts
- Security Event ID 4688
- Sysmon Event IDs 1, 3, 22
- Security Event ID 5156
- PowerShell 4104
- Prefetch:
PING.EXEARP.EXENLTEST.EXENET.EXENMAP.EXE
- Amcache / ShimCache
- Firewall logs
- DNS cache
- EDR network graph
MITRE ATT&CK References
- T1016 System Network Configuration Discovery
- T1046 Network Service Discovery
- T1018 Remote System Discovery
Decision Tree
-
Which network recon tool executed?
- Native binary
- PowerShell
- Scanner
-
Scope of discovery?
- Single host
- Subnet
- Multi-subnet
-
Targets sensitive?
- DC
- SQL
- File server
-
Follow-up activity?
- Authentication
- SMB
- Lateral movement
-
Expand:
- DNS
- Shares
- Services
-
Scope:
- Single host recon
- Automated sweep
- Campaign staging
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("ping.exe","arp.exe","nltest.exe","net.exe","route.exe","tracert.exe","nmap.exe")
| project TimeGenerated, Computer, Account, CommandLine
Sysmon
| where EventID == 3
| project TimeGenerated, Computer, Image, DestinationIp, DestinationPort
EQL
process where process.name in ("ping.exe","arp.exe","nltest.exe","net.exe","nmap.exe")
sequence by host.name with maxspan=5m
[ process where process.name in ("ping.exe","nltest.exe") ]
[ network where destination.ip != null ]
Sigma
title: Network Enumeration Detection
id: 6f2d1b38-network-enum
status: experimental
description: Detects common internal network discovery commands
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
NewProcessName|endswith:
- '\ping.exe'
- '\arp.exe'
- '\nltest.exe'
- '\net.exe'
- '\nmap.exe'
condition: selection
fields:
- NewProcessName
- CommandLine
falsepositives:
- Administrative diagnostics
level: medium
tags:
- attack.discovery
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Recon burst monitoring | Alert on command sequences | Critical | Strong early signal |
| Internal scan detection | Watch subnet sweeps | Critical | Detect broad recon |
| DNS monitoring | Detect internal query bursts | High | Recon enrichment |
| Parent-child correlation | Identify remote shell origin | High | Distinguish admin vs attacker |
| EDR network analytics | Sequence-based detection | Critical | Better than single command alerts |