Action RAT has the ability to collect the MAC address of an infected host.[3]
AdFind can extract subnet information from Active Directory.[4][5][6]
admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[7]
Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.[8][9]
Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[10]
Anchor can determine the public IP and location of a compromised host.[12]
APT1 used the ipconfig /all command to gather network configuration information.[14]
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[15]
A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[16][17]
APT32 used the ipconfig /all command to gather the IP address from the system.[18]
Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.[21]
Arp can be used to display ARP configuration information on the host.[22]
Astaroth collects the external IP address from the system. [23]
Avaddon can collect the external IP address of the victim.[24]
Avenger can identify the domain of the compromised host.[25]
Azorult can collect host IP information from the victim’s machine.[26]
Backdoor.Oldrea collects information about the Internet adapter configuration.[28][29]
Bandook has a command to get the public IP address from a system.[32]
Bazar can collect the IP address and NetBIOS name of an infected machine.[33]
Bisonal can execute ipconfig on the victim’s machine.[34][35][36]
BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[37][38]
BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[39]
BLUELIGHT can collect IP information from the victim’s machine.[40]
Bonadan can find the external IP address of the infected host.[41]
BoxCaon can collect the victim's MAC address by using the GetAdaptersInfo API.[42]
Brave Prince gathers network configuration information as well as the ARP cache.[43]
During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.[44]
During C0017, APT41 used cmd.exe /c ping %userdomain% for discovery.[45]
During C0018, the threat actors ran nslookup and Advanced IP Scanner on the target network.[46]
Calisto runs the ifconfig command to obtain the IP address from the victim’s machine.[47]
Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[48][49]
Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine.[50]
Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[51]
CharmPower has the ability to use ipconfig to enumerate system network settings.[52]
Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.[53]
Chrommme can enumerate the IP address of a compromised host.[54]
Clambling can enumerate the IP address of a compromised machine.[55][56]
Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.[57][58]
Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information.[59]
Conti can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.[60]
CrackMapExec can collect DNS information from the targeted system.[61]
CreepySnail can use getmac and Get-NetIPAddress to enumerate network settings.[62]
Crimson contains a command to collect the victim MAC address and LAN IP.[63][64]
Cuba can retrieve the ARP cache from the local system by using GetIpNetTable.[65]
Cyclops Blink can use the Linux API if_nameindex to gather network interface names.[66][67]
Darkhotel has collected the IP address and network adapter information from the victim’s machine.[68][69]
DEADEYE can discover the DNS domain name of a targeted system.[45]
Denis uses ipconfig to gather the IP address from the system.[18]
Diavol can enumerate victims' local and external IPs when registering with C2.[70]
down_new has the ability to identify the MAC address of a compromised host.[25]
Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[71]
Dtrack can collect the host's IP addresses using the ipconfig command.[72][73]
The reconnaissance modules used with Duqu can collect information on network configuration.[74]
DUSTTRAP can enumerate infected system network information.[75]
Dyre has the ability to identify network settings on a compromised host.[76]
Earth Lusca used the command ipconfig to obtain information about network configurations.[77]
Elise executes ipconfig /all after initial communication is made to the remote server.[79][80]
Emissary has the capability to execute the command ipconfig /all.[81]
Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.[82][83]
Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.[84]
Explosive has collected the MAC address from the victim's machine.[85]
FALLCHILL collects MAC address and local IP address information from the victim.[86]
FatDuke can identify the MAC address on the target computer.[87]
Felismus collects the victim LAN IP address and sends it to the C2 server.[88]
FELIXROOT collects information about the network including the IP address and DHCP server.[89]
FIN13 has used nslookup and ipconfig for network reconnaissance efforts. FIN13 has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information.[90][91]
Flagpro has been used to execute the ipconfig /all command on a victim system.[92]
During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.[83]
FunnyDream can parse the ProxyServer string in the Registry to discover http proxies.[93]
During FunnyDream, the threat actors used ipconfig for discovery on remote systems.[93]
GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[94]
GeminiDuke collects information on network settings and Internet proxy settings from the victim.[95]
GoldMax retrieved a list of the system's network interface after execution.[96]
Gootloader can use an embedded script to check the IP address of potential victims visiting compromised websites.[97]
Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.[98]
GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[99]
Green Lambert can obtain proxy information from a victim's machine using system environment variables.[100][101]
GrimAgent can enumerate the IP and domain of a target system.[102]
HEXANE has used Ping and tracert for network discovery.[104]
Higaisa used ipconfig to gather network configuration information.[105][106]
HotCroissant has the ability to identify the IP address of the compromised machine.[107]
Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[108][109]
The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.[110]
IcedID used the ipconfig /all command and a batch script to gather network information.[111]
ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP.
Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[113]
InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.[114][115]
ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP.
Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.[116]
A JHUHUGIT variant gathers network interface card information.[117]
JPIN can obtain network information, including DNS, IP, and proxies.[118]
Ke3chang has performed local network configuration discovery using ipconfig.[121][122][123]
Kessel has collected the DNS address of the infected host.[41]
Kevin can collect the MAC address and other information from a victim machine using ipconfig/all.[104]
KeyBoy can determine the public or WAN IP address for the system.[124]
KEYMARBLE gathers the MAC address of the victim’s machine.[125]
Kimsuky has used ipconfig/all and web beacons sent via email to gather network configuration information.[126][127]
Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.[128][129]
Kobalos can record the IP address of the target machine.[130]
KONNI can collect the IP address from the victim’s machine.[131]
KOPILUWAK can use Arp to discover a target's network configuration setttings.[132]
KV Botnet Activity gathers victim IP information during initial installation stages.[133]
Kwampirs collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.[134]
Latrodectus can discover the IP and MAC address of a targeted host.[135][136]
Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[137][138]
LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo.[139]
LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.[87]
Lizar can retrieve network information from a compromised host.[140]
Lokibot has the ability to discover the domain name of the infected host.[141]
LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[142]
Lucifer can collect the IP address of a compromised host.[143]
LunarLoader can verify the targeted host's DNS name which is then used in the creation of a decyrption key.[144]
LunarWeb can use shell commands to discover network adapters and configuration.[144]
Machete collects the MAC address of the target computer and other network configuration information.[145][146]
MacMa can collect IP addresses from a compromised host.[147]
Mafalda can use the GetAdaptersInfo function to retrieve information about network adapters and the GetIpNetTable function to retrieve the IPv4 to physical network address mapping table.[148]
Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[149][150][151]
Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes.[152]
menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[153]
Milan can run C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1 to discover network settings.[154]
Mis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all.[155]
Moonstone Sleet has gathered information on victim network configuration.[156]
More_eggs has the capability to gather the IP address from the victim's machine.[158]
Moses Staff has collected the domain name of a compromised network.[159]
MuddyWater has used malware to collect the victim’s IP address and domain name.[161]
Mustang Panda has used ipconfig and arp to determine network configuration information.[162]
Naikon uses commands such as netsh interface show to discover network interface settings.[164]
NanHaiShu can gather information about the victim proxy server.[165]
NanoCore gathers the IP address from the victim’s machine.[166]
nbtstat can be used to discover local NetBIOS domain names.
Neoichor can gather the IP address from an infected host.[123]
NETWIRE can collect the IP address of a compromised host.[169][170]
NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.[171]
Nightdoor gathers information on victim system network configuration such as MAC addresses.[172]
Ninja can enumerate the IP address on compromised systems.[173]
Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.[174]
Octopus can collect the host IP address from the victim’s machine.[177]
Okrum can collect network information, including the host IP address, DNS, and proxy information.[180]
Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[181]
During Operation CuckooBees, the threat actors used ipconfig, nbtstat, tracert, route print, and cat /etc/hosts commands.[182]
During Operation Wocao, threat actors discovered the local network configuration with ipconfig.[183]
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[184][185]
Pay2Key can identify the IP and MAC addresses of the compromised host.[186]
PcShare can obtain the proxy settings of a compromised machine using InternetQueryOptionA and its IP address by running nslookup myip.opendns.comresolver1.opendns.com\r\n.[93]
Penquin can report the IP of the compromised host to attacker controlled infrastructure.[187]
Pikabot gathers victim network information through commands such as ipconfig and ipconfig /all.[188]
PingPull can retrieve the IP address of a compromised host.[189]
PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[190]
Pisloader has a command to collect the victim's IP address.[191]
PLAINTEE uses the ipconfig /all command to gather the victim’s IP address.[192]
Play has used the information-stealing tool Grixba to enumerate network information.[193]
PowerDuke has a command to get the victim's domain and NetBIOS name.[195]
PowerShower has the ability to identify the current Windows domain of the infected host.[196]
POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.[197][198]
POWRUNER may collect network configuration data by running ipconfig /all on a victim.[199]
A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[200]
Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[201]
Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.[202]
Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[203]
QakBot can use net config workstation, arp -a, nslookup, and ipconfig /all to gather network configuration information.[204][205][206][207][208]
QUADAGENT gathers the current domain the victim system belongs to.[209]
QuasarRAT has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0.[210]
QUIETCANARY can identify the default proxy setting on a compromised host.[132]
Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[211]
RATANKBA gathers the victim’s IP address via the ipconfig -all command.[212][213]
RedLeaves can obtain information about network parameters.[153]
Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[215]
Revenge RAT collects the IP address and MAC address from the system.[216]
Rifdoor has the ability to identify the IP address of the compromised host.[217]
Rising Sun can detect network adapter and IP address information.[218]
RogueRobin gathers the IP address and domain from the victim’s machine.[219]
route can be used to discover routing configuration information.
Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[221][222]
Saint Bot can collect the IP address of a victim machine.[223]
Sardonic has the ability to execute the ipconfig command.[224]
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[225]
ShadowPad has collected the domain name of the victim system.[226]
Shamoon obtains the target's IP address and local network segment.[227][228]
SHARPSTATS has the ability to identify the domain of the compromised host.[198]
ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.[229]
Sibot checked if the compromised system is configured to use proxies.[96]
SideCopy has identified the IP address of a compromised host.[3]
SideTwist has the ability to collect the domain name on a compromised host.[230]
Sidewinder has used malware to collect information on network interfaces, including the MAC address.[231]
Sliver has the ability to gather network configuration information.[232]
Small Sieve can obtain the IP address of a victim host.[233]
SocGholish has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.[234][235][236]
SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.[237]
SpicyOmelette can identify the IP of a compromised system.[239]
Squirrelwaffle has collected the victim’s external IP address.[240]
STARWHALE has the ability to collect the IP address of an infected host.[241]
Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[242]
StrongPity can identify the IP address of a compromised host.[243]
Stuxnet collects the IP address of a compromised system.[244]
SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[245]
Sykipot may use ipconfig /all to gather system network configuration details.[246]
Sys10 collects the local IP address of the victim and sends it to the C2.[164]
SysUpdate can collected the IP address and domain name of a compromised host.[247]
T9000 gathers and beacons the MAC and IP addresses during installation.[248]
Taidoor has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.[249][250]
TajMahal has the ability to identify the MAC address on an infected host.[251]
Threat Group-3390 actors use NBTscan to discover vulnerable systems.[253]
Torisma can collect the local MAC address using GetAdaptersInfo as well as the system's IP address.[254]
TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[255][256][57]
Trojan.Karagany can gather information on the network configuration of a compromised host.[257]
Tropic Trooper has used scripts to collect the host's network topology.[258]
TSCookie has the ability to identify the IP of the infected host.[259]
Turian can retrieve the internal IP address of a compromised host.[260]
Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[84][261][262] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[263]
Unknown Logger can obtain information about the victim's IP address.[264]
UPPERCUT has the capability to gather the victim's proxy information.[265]
USBferry can detect the infected machine's network topology using ipconfig and arp.[258]
Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.[266]
Volgmer can gather the IP address from the victim's machine.[268]
Volt Typhoon has executed multiple commands to enumerate network topology and settings including ipconfig, netsh interface firewall show all, and netsh interface portproxy show all.[269]
WannaCry will attempt to determine the local network segment it is a part of.[270]
WellMail can identify the IP address of the victim system.[271]
WellMess can identify the IP address and user domain on the target machine.[272][273]
Wizard Spider has used ipconfig to identify the network configuration of a victim machine. Wizard Spider has also used the PowerShell cmdlet Get-ADComputer to collect IP address data from Active Directory.[274][275]
Woody RAT can retrieve network interface and proxy information.[276]
Xbash can collect IP addresses and local intranet information from a victim’s machine.[277]
xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.[42]
ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[280]
ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[281]