AdFind can extract subnet information from Active Directory.[1][2][3]
admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[4]
Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.[5][6]
Agent.btz collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[7]
Anchor can determine the public IP and location of a compromised host.[8]
APT1 used the ipconfig /all command to gather network configuration information.[10]
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[11]
A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[12][13]
APT32 used the ipconfig /all command to gather the IP address from the system.[14]
Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.[17]
Arp can be used to display ARP configuration information on the host.
Astaroth collects the external IP address from the system. [18]
Avaddon can collect the external IP address of the victim.[19]
Avenger can identify the domain of the compromised host.[20]
Azorult can collect host IP information from the victim’s machine.[21]
Backdoor.Oldrea collects information about the Internet adapter configuration.[23]
Bandook has a command to get the public IP address from a system.[26]
Bazar can collect the IP address and NetBIOS name of an infected machine.[27]
Bisonal can execute ipconfig on the victim’s machine.[28][29]
BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[30][31]
BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[32]
BLUELIGHT can collect IP information from the victim’s machine.[33]
Bonadan can find the external IP address of the infected host.[34]
BoxCaon can collect the victim's MAC address by using the GetAdaptersInfo API.[35]
Brave Prince gathers network configuration information as well as the ARP cache.[36]
Calisto runs the ifconfig command to obtain the IP address from the victim’s machine.[37]
Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[38][39]
Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine.[40]
Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[41]
Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.[42]
Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.[43][44]
Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information.[45]
Conti can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.[46]
CrackMapExec can collect DNS information from the targeted system.[47]
Crimson contains a command to collect the victim MAC address and LAN IP.[48][49]
Cuba can retrieve the ARP cache from the local system by using GetIpNetTable.[50]
Darkhotel has collected the IP address and network adapter information from the victim’s machine.[51][52]
Denis uses ipconfig to gather the IP address from the system.[14]
down_new has the ability to identify the MAC address of a compromised host.[20]
Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[53]
Dtrack can collect the host's IP addresses using the ipconfig command.[54][55]
The reconnaissance modules used with Duqu can collect information on network configuration.[56]
Dyre has the ability to identify network settings on a compromised host.[57]
Elise executes ipconfig /all after initial communication is made to the remote server.[59][60]
Emissary has the capability to execute the command ipconfig /all.[61]
Empire can acquire network configuration information like DNS servers and network proxies used by a host.[62]
Epic uses the nbtstat -n and nbtstat -s commands on the victim’s machine.[63]
Explosive has collected the MAC address from the victim's machine.[64]
FALLCHILL collects MAC address and local IP address information from the victim.[65]
FatDuke can identify the MAC address on the target computer.[66]
Felismus collects the victim LAN IP address and sends it to the C2 server.[67]
FELIXROOT collects information about the network including the IP address and DHCP server.[68]
Frankenstein has enumerated hosts, looking for the public IP address of the system.[69]
GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[70]
GeminiDuke collects information on network settings and Internet proxy settings from the victim.[71]
GoldMax retrieved a list of the system's network interface after execution.[72]
Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.[73]
GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[74]
GrimAgent can enumerate the IP and domain of a target system.[75]
Higaisa used ipconfig to gather network configuration information.[76][77]
HotCroissant has the ability to identify the IP address of the compromised machine.[78]
Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[79][80]
ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP.
Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[82]
InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.[83][84]
ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP.
Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.[85]
A JHUHUGIT variant gathers network interface card information.[86]
JPIN can obtain network information, including DNS, IP, and proxies.[87]
Ke3chang performs local network configuration discovery using ipconfig.[90][91]
Kessel has collected the DNS address of the infected host.[34]
KeyBoy can determine the public or WAN IP address for the system.[92]
KEYMARBLE gathers the MAC address of the victim’s machine.[93]
Koadic can retrieve information about the Windows domain.[94]
Kobalos can record the IP address of the target machine.[95]
KONNI can collect the IP address from the victim’s machine.[96]
Kwampirs collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.[97]
Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[98][99]
LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo.[100]
LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.[66]
Lokibot has the ability to discover the domain name of the infected host.[101]
LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[102]
Lucifer can collect the IP address of a compromised host.[103]
Machete collects the MAC address of the target computer and other network configuration information.[104][105]
Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[106]
menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[107]
Mis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all.[108]
More_eggs has the capability to gather the IP address from the victim's machine.[110]
MuddyWater has used malware to collect the victim’s IP address and domain name.[112]
Mustang Panda has used ipconfig and arp to determine network configuration information.[113]
Naikon uses commands such as netsh interface show to discover network interface settings.[115]
NanHaiShu can gather information about the victim proxy server.[116]
NanoCore gathers the IP address from the victim’s machine.[117]
nbtstat can be used to discover local NetBIOS domain names.
NETWIRE can collect the IP address of a compromised host.[120][121]
Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.[122]
Octopus can collect the host IP address from the victim’s machine.[125]
Okrum can collect network information, including the host IP address, DNS, and proxy information.[128]
Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[129]
Operation Wocao has discovered the local network configuration with ipconfig.[130]
OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[131][132]
Pay2Key can identify the IP and MAC addresses of the compromised host.[133]
Penquin can report the IP of the compromised host to attacker controlled infrastructure.[134]
PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[135]
Pisloader has a command to collect the victim's IP address.[136]
PLAINTEE uses the ipconfig /all command to gather the victim’s IP address.[137]
PowerDuke has a command to get the victim's domain and NetBIOS name.[139]
PowerShower has the ability to identify the current Windows domain of the infected host.[140]
POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.[141][142]
POWRUNER may collect network configuration data by running ipconfig /all on a victim.[143]
A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[144]
Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[145]
Pupy has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.[146]
Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[147]
QakBot can use net config workstation, arp -a, and ipconfig /all to gather network configuration information.[148][149][150]
QUADAGENT gathers the current domain the victim system belongs to.[151]
Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[152]
RATANKBA gathers the victim’s IP address via the ipconfig -all command.[153][154]
RedLeaves can obtain information about network parameters.[107]
Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[156]
Revenge RAT collects the IP address and MAC address from the system.[157]
Rifdoor has the ability to identify the IP address of the compromised host.[158]
Rising Sun can detect network adapter and IP address information.[159]
RogueRobin gathers the IP address and domain from the victim’s machine.[160]
route can be used to discover routing configuration information.
Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[161][162]
Sandworm Team checks for connectivity to other resources in the network.[163]
SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[164]
ShadowPad has collected the domain name of the victim system.[165]
Shamoon obtains the target's IP address and local network segment.[166][167]
SHARPSTATS has the ability to identify the domain of the compromised host.[142]
ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.[168]
Sibot checked if the compromised system is configured to use proxies.[72]
SideTwist has the ability to collect the domain name on a compromised host.[169]
Sidewinder has used malware to collect information on network interfaces, including the MAC address.[170]
Sliver has the ability to gather network configuration information.[171]
SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.[172]
SpicyOmelette can identify the IP of a compromised system.[174]
Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[175]
StrongPity can identify the IP address of a compromised host.[176]
Stuxnet collects the IP address of a compromised system.[177]
SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[178]
Sykipot may use ipconfig /all to gather system network configuration details.[179]
Sys10 collects the local IP address of the victim and sends it to the C2.[115]
T9000 gathers and beacons the MAC and IP addresses during installation.[180]
Taidoor has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.[181][182]
TajMahal has the ability to identify the MAC address on an infected host.[183]
Threat Group-3390 actors use NBTscan to discover vulnerable systems.[185]
TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.[186][187][43]
Trojan.Karagany can gather information on the network configuration of a compromised host.[188]
Tropic Trooper has used scripts to collect the host's network topology.[189]
TSCookie has the ability to identify the IP of the infected host.[190]
Turian can retrieve the internal IP address of a compromised host.[191]
Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[63][192][193] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[194]
Unknown Logger can obtain information about the victim's IP address.[195]
UPPERCUT has the capability to gather the victim's proxy information.[196]
USBferry can detect the infected machine's network topology using ipconfig and arp.[189]
Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.[197]
Volgmer can gather the IP address from the victim's machine.[199]
WannaCry will attempt to determine the local network segment it is a part of.[200]
WellMail can identify the IP address of the victim system.[201]
WellMess can identify the IP address and user domain on the target machine.[202][203]
Wizard Spider has used "ipconfig" to identify the network configuration of a victim machine.[204]
Xbash can collect IP addresses and local intranet information from a victim’s machine.[205]
xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.[35]
ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[208]
ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[209]