AN1902: Analytic 1902
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery.
Analyst context for executives and security teams
This analytic is about catching early reconnaissance of network settings and connections on systems in an ICS ATT&CK context. For leaders, the practical value is that commands, scripts, or API calls used to enumerate IP addresses, MAC addresses, ARP data, adapters, and active connections can be an early warning that an actor is mapping where they are and what systems they can reach. That matters because in operational environments, discovery activity can precede decisions that affect segmentation, remote access paths, incident scope, and business continuity planning.
Executive priority
Prioritize this as a visibility and readiness question: can the organization prove it can see network-discovery behavior on relevant systems, distinguish normal administration from unusual activity, and preserve enough evidence for incident response? Because the supplied ATT&CK object has no platform, tactic, or relationship context, this should not be treated as a complete detection strategy by itself. It is most useful as a control-validation item for SOC monitoring, IR evidence collection, compliance evidence around logging, and cyber-physical resilience where ICS assets depend on segmented and well-understood network paths.
Technical view
Validate monitoring for executed commands, command-line arguments, script execution, and API calls that reveal network configuration or connections. The official text specifically references processes such as ipconfig/ifconfig and arp; Windows management mechanisms such as Windows Management Instrumentation and PowerShell; and API calls such as GetAdaptersInfo() and GetIpNetTable(). Detection engineering should focus on baselining legitimate administrative, patching, troubleshooting, and asset-management activity, then identifying unusual timing, source accounts, remote execution context, or execution on systems where scripting is not normally used. IR teams should ensure command lines, scripts, process ancestry, and relevant host/network context are retained long enough to reconstruct discovery activity.
Likely telemetry
- Process execution events with full command-line arguments
- Script execution logs and script file capture where available
- PowerShell activity and related command/script logging where applicable
- Windows Management Instrumentation activity where applicable
- API call or endpoint telemetry showing network adapter, ARP, or connection enumeration where available
Detection direction
- Confirm logging captures both commands and arguments, not just process names, because the analytic depends on what the process is trying to enumerate.
- Tune around known administrator, patching, troubleshooting, and inventory workflows to reduce false positives while preserving visibility into out-of-cycle use.
- Pay special attention to script execution on systems where scripts are uncommon, newly enabled, or outside normal maintenance windows.
- Correlate process, script, WMI, PowerShell, and API-oriented evidence where available; any one source may be incomplete.
- Use the referenced discovery behaviors as context for triage, but do not infer intent or impact from enumeration alone without local evidence.
Mitigation priorities
- Establish or validate endpoint and script logging requirements for systems where network discovery activity would be material to operations.
- Define normal administrative discovery activity, including who may run it, from where, and during what windows.
- Restrict unnecessary script execution and remote management capability where operationally feasible, especially on systems where such activity is not routine.
- Ensure incident response playbooks preserve command-line, script, process, account, and host-network context for suspected discovery activity.
- Use this analytic as part of a broader ICS monitoring and segmentation assurance program rather than as a standalone control.
Analyst notes and limits
The object is a detection analytic in the ICS ATT&CK domain with official guidance focused on monitoring commands, scripts, management tools, and API calls used to discover network configuration and connections. No relationships were supplied, so there is no additional technique, group, software, campaign, or mitigation context to incorporate beyond the references embedded in the official description.
The supplied object has no platforms, tactics, aliases, labels, relationship context, or official detection field. The guidance therefore supports telemetry and validation direction, but not claims about specific affected technologies, active exploitation, attribution, impact, or guaranteed detection coverage. Local environment baselines are required to separate legitimate administration from suspicious discovery.
Analytic 1902
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4d087ed536c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1902Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.