AN0559: Analytic 0559
Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration.
Analyst context for executives and security teams
This analytic is about spotting Windows activity where built-in tools or PowerShell/WMI are used to enumerate local network configuration such as IP addresses, MAC addresses, interface state, and routing details. For leaders, the value is not that these commands are inherently malicious—they are common in administration and troubleshooting—but that they can also appear early in an intrusion when an actor is mapping the environment before moving further. Coverage depends heavily on whether endpoint and command-execution telemetry is collected and searchable.
Executive priority
Prioritize this as a validation point for SOC and incident response readiness rather than as a standalone high-confidence alert. Security leaders should ask whether Windows command-line, PowerShell, WMI, and process execution evidence is retained well enough to reconstruct network discovery behavior during an investigation. This supports operational resilience, audit evidence, and incident scoping because local network configuration discovery can help explain what an intruder may have learned about segmentation, routing, and reachable systems.
Technical view
On Windows, validate visibility into execution of built-in tools such as ipconfig, route, and netsh, as well as PowerShell or WMI queries that enumerate IP addresses, MAC addresses, interface status, or routing configuration. Because ATT&CK provides no official detection logic, tactics, or relationship context for this analytic, detection engineering should treat it as a behavior pattern requiring local baselining. Focus on process creation, command-line arguments, script block or PowerShell logging where available, WMI activity, user context, parent process, host role, and timing relative to other suspicious events.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell execution telemetry, including script content where enabled
- WMI activity logs or endpoint telemetry showing query execution
- Endpoint detection and response process lineage and parent-child relationships
- User, host, and privilege context for the executing process
Detection direction
- Confirm that process execution telemetry captures command names and arguments for ipconfig, route, netsh, PowerShell, and WMI-related execution on Windows.
- Baseline expected administrative and troubleshooting use to reduce false positives; these tools are commonly used by IT staff and legitimate scripts.
- Prioritize unusual combinations such as discovery commands launched by unexpected parent processes, non-administrative users, newly observed hosts, or activity occurring near other suspicious execution events.
- Validate retention and searchability for IR use, since this behavior may be more valuable as context during an investigation than as a high-severity alert by itself.
- Document blind spots where PowerShell logging, WMI visibility, or command-line capture is missing or disabled.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are sufficient to capture command execution, PowerShell, and WMI activity.
- Apply least-privilege administration and restrict routine administrative access to appropriate accounts and systems.
- Harden PowerShell and WMI monitoring configurations where feasible, balancing operational requirements and audit needs.
- Use segmentation and asset inventory practices so that discovery of local network configuration does not expose unnecessary routing or reachability information.
- Build incident response playbooks that treat network-configuration enumeration as a scoping signal when correlated with other suspicious activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic, AN0559, for Windows. It describes execution of built-in tools or PowerShell/WMI queries to enumerate local network configuration. No official detection text, tactics, or relationship context were supplied, so this take frames the analytic as a telemetry and validation requirement rather than a complete detection rule.
This assessment is limited to the supplied STIX fields, external reference, and absence of relationships. It does not establish adversary attribution, active exploitation, impact, or guaranteed detectability. Local environment baselines are required because the described tools and queries are also common in legitimate administration.
Analytic 0559
Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6c2ef00b190… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0559Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.