Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0195: Behavioral Detection of System Network Configuration Discovery

DET0195 is a detection strategy for recognizing behavior associated with System Network Configuration Discovery (T1016): activity where an adversary or too...

EnterpriseDET0195Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0195 is a detection strategy for recognizing behavior associated with System Network Configuration Discovery (T1016): activity where an adversary or tool enumerates network settings such as IP or MAC addressing on a system or remote device. For leaders, the value is not that this behavior is always malicious, but that it often helps an intruder understand routing, reachable systems, and lateral movement options. Because legitimate administrators also perform this discovery, the business decision is whether the SOC can separate expected operations from unusual discovery patterns on the relevant enterprise platforms identified for T1016: ESXi, Linux, macOS, and Network Devices.

Executive priority

Prioritize this as an early-warning and investigation-enrichment control rather than a standalone incident trigger. Network configuration discovery can indicate an adversary is mapping the environment after access, which affects incident scoping, containment decisions, and operational resilience. Security leaders should ask whether endpoint, network-device, and virtualization telemetry is collected consistently enough to prove discovery activity during an investigation and whether the organization can distinguish routine administration from anomalous discovery across critical infrastructure, cloud-adjacent network paths, and high-value systems.

Technical view

The supplied ATT&CK object does not provide an official detection analytic or platform list for DET0195 itself, but it explicitly detects T1016, a Discovery technique on ESXi, Linux, macOS, and Network Devices. SOC and detection teams should validate visibility into administrative utilities and behaviors used to retrieve network configuration, including command execution, process metadata where available, network-device administrative logs, and remote management/session context. Detection should emphasize behavioral context: unusual users, unexpected hosts, rare parent processes, execution outside maintenance windows, repeated enumeration across multiple systems, or discovery followed by other suspicious activity.

Likely telemetry

  • Command execution and process creation logs on Linux and macOS where available
  • Shell history or command auditing where centrally collected
  • ESXi management and administrative activity logs
  • Network device administrative logs, command accounting, or configuration access records
  • Remote access/session telemetry tying users to hosts or devices

Detection direction

  • Validate that monitoring covers the platforms identified by the related ATT&CK technique: ESXi, Linux, macOS, and Network Devices.
  • Treat use of network-configuration utilities as context-dependent; many events will be legitimate administration or troubleshooting.
  • Tune detections around abnormal combinations: rare user or host, unusual time, unexpected remote session source, repeated discovery across assets, or discovery by non-administrative accounts.
  • Correlate discovery behavior with adjacent investigation signals, such as new access, privilege changes, remote sessions, or subsequent movement attempts, rather than relying on a single command event.
  • Identify blind spots where command telemetry is weak, especially network devices, hypervisors, and systems without centralized shell or audit logging.

Mitigation priorities

  • First, ensure logging and retention are sufficient to reconstruct network-configuration discovery on critical assets and administrative planes.
  • Second, restrict and monitor administrative access to ESXi hosts, Linux/macOS systems, and network devices using least privilege and accountable identities.
  • Third, baseline expected administrative discovery activity so the SOC can tune alerts without suppressing meaningful anomalies.
  • Fourth, incorporate this behavior into incident response playbooks as a scoping signal: determine what system or network information was exposed and whether follow-on activity occurred.
  • Finally, use control validation exercises to confirm telemetry reaches the SIEM or detection platform with enough user, host, command, and session context.
Analyst notes and limits

This take is based on the DET0195 detection strategy object and its relationship indicating it detects T1016 System Network Configuration Discovery. The official DET0195 object supplied here has no description, no detection text, no tactics, and no platforms of its own, so recommendations are derived conservatively from the related T1016 context and its listed platforms and Discovery tactic.

No official DET0195 analytic logic, data sources, detection pseudocode, false-positive guidance, or platform scope was supplied. Local environment baselines, logging architecture, and administrative practices are required before judging coverage or alert severity.

Official MITRE ATT&CK definition

Behavioral Detection of System Network Configuration Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1016 System Network Configuration Discovery This object detects System Network Configuration Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1016: System Network Configuration Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
02fce1f4b72b9546...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 02fce1f4b72b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0195
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use