DET0574: Detection Strategy for Remote System Enumeration Behavior
DET0574 is a detection strategy tied to Remote System Discovery (T1018): behavior where an adversary tries to learn what other systems exist by IP address,...
Analyst context for executives and security teams
DET0574 is a detection strategy tied to Remote System Discovery (T1018): behavior where an adversary tries to learn what other systems exist by IP address, hostname, or other logical identifiers. For leaders, the value is not just finding “ping-like” activity; it is validating whether the organization can see early lateral-movement preparation across relevant enterprise assets such as ESXi, Linux, macOS, and network devices.
Executive priority
Prioritize this as a resilience and incident-scoping control. If defenders cannot observe remote system enumeration, an intrusion can progress from one system toward broader network access with limited warning. Security leaders should ask whether SOC telemetry covers discovery behavior on the platforms in scope, whether legitimate admin and monitoring activity is baselined, and whether detection evidence can support incident response, audit, and segmentation decisions.
Technical view
The supplied relationship states that this detection strategy detects T1018 Remote System Discovery under the Discovery tactic. SOC and detection teams should validate visibility for attempts to list or probe other systems by IP address, hostname, or logical identifier. The related ATT&CK description references use of remote access tool functionality and operating-system utilities such as Ping, Net-related enumeration, and ESXi network diagnostic commands. Because DET0574 has no official detection text of its own, teams should treat this as a coverage-validation objective rather than a ready-made analytic.
Likely telemetry
- Process execution and command-line telemetry for discovery utilities where available
- Remote access tool activity that includes host or network enumeration functions
- Network connection, flow, or probe patterns from a single host to multiple internal systems
- DNS or hostname lookup activity associated with broad internal discovery
- ESXi, Linux, macOS, and network-device administrative logs where those platforms are in scope
Detection direction
- Baseline legitimate administration, monitoring, vulnerability scanning, and asset discovery so detections do not overload the SOC with expected activity.
- Look for unusual fan-out from a host to many internal IPs or hostnames, especially when the source system does not normally perform discovery.
- Correlate enumeration with surrounding intrusion context, such as new remote access activity, suspicious process execution, or later lateral movement indicators.
- Validate platform coverage specifically for the related platforms supplied by ATT&CK: ESXi, Linux, macOS, and network devices.
- Check blind spots where command-line logging, network-device logging, or ESXi administrative telemetry is incomplete or not forwarded to the SIEM.
Mitigation priorities
- Establish and maintain asset inventory and approved discovery sources so defenders can separate authorized enumeration from unexpected behavior.
- Restrict administrative access and remote access tool usage to approved users, systems, and management networks.
- Use network segmentation and access control to limit how much of the environment any one compromised system can enumerate or reach.
- Ensure logging is enabled and retained for endpoint process activity, network flows, DNS/hostname lookups, ESXi administration, and network-device management where applicable.
- Include remote system discovery in incident response playbooks as an early signal for lateral-movement scoping and containment decisions.
Analyst notes and limits
This take is based on the DET0574 detection-strategy object and its relationship to T1018 Remote System Discovery. The detection-strategy object itself provides no official description, detection logic, platforms, or tactics; the practical guidance therefore comes from the related ATT&CK technique context and should be validated against the local environment.
No official DET0574 detection text, data sources, analytics, or mitigations were supplied. Platform and tactic context comes from the related T1018 object only. Local baselines, logging configuration, and approved administrative workflows are required to determine what is suspicious.
Detection Strategy for Remote System Enumeration Behavior
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | This object detects Remote System Discovery. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 40613d70b66f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0574Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.