T1049: System Network Connections Discovery
| View on MITRE ATT&CK | T1049 |
|---|---|
| Tactic(s) | Discovery |
| Associated CAPEC Patterns | Network Topology Mapping (CAPEC-309) |
Data from MITRE ATT&CK®:
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear
This blog post from researchers at Trend Micro discusses the cyberespionage group Earth Hundun and its malware, Waterbear and Deuterbear, which ...
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
Evasive Panda leverages Monlam Festival to target Tibetans
This report by researchers at ESET describes a campaign which they attribute to the China-aligned APT Evasive Panda. The report describes a ...
Earth Preta Campaign Uses DOPLUGS to Target Asia
This blog post by researchers from Trend Micro describes the use of a customized PlugX backdoor which they name DOPLUGS. The DOPLUGS malware uses ...
CACTUS Ransomware: Prickly New Variant Evades Detection
This report by Kroll outlines TTPs and IoCs associated with CACTUS ransomware actors.
How to detect this technique
MITRE ATT&CK Data Components
OS API Execution (Process)
Operating system function/method calls executed by a processProcess Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.