diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml
new file mode 100644
index 000000000..b48af1122
--- /dev/null
+++ b/rules/linux/lnx_remote_system_discovery.yml
@@ -0,0 +1,45 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    ProcessName|endswith: '/arp'
+    CommandLine|contains: '-a'
+  selection_2:
+    ProcessName|endswith: '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1018
diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml
new file mode 100644
index 000000000..6ec947914
--- /dev/null
+++ b/rules/linux/macos_remote_system_discovery.yml
@@ -0,0 +1,48 @@
+title: Macos Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    ProcessName|endswith:
+      - '/arp'
+    CommandLine|contains:
+      - '-a'
+  selection_2:
+    ProcessName|endswith:
+      - '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives: 
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1018