EXPLORE
Sign In
← Back to Explore
T1049

System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating s...

WindowsIaaSLinuxmacOSNetwork DevicesESXi
21
Detections
3
Sources
32
Threat Actors

BY SOURCE

8splunk_escu7sigma6elastic

PROCEDURES (13)

Lateral3 detections

Auto-extracted: 3 detections for lateral

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Remote2 detections

Auto-extracted: 2 detections for remote

Service2 detections

Auto-extracted: 2 detections for service

Remote2 detections

Auto-extracted: 2 detections for remote

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Powershell2 detections

Auto-extracted: 2 detections for powershell

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (32)

admin@338AndarielAPT1APT3APT32APT38APT41APT5BackdoorDiplomacyChimeraEarth LuscaFIN13GALLIUMHEXANEINC RansomKe3changLazarus GroupLotus BlossomMagic HoundmenuPassMuddyWaterMustang PandaOilRigPoseidon GroupSandworm TeamTeamTNTThreat Group-3390ToddyCatTropic TrooperTurlaVelvet AntVolt Typhoon

DETECTIONS (21)

Cisco Discovery
sigmalow
DNS Enumeration Detected via Defend for Containers
elasticlow
Enumeration Command Spawned via WMIPrvSE
elasticlow
GetNetTcpconnection with PowerShell
splunk_escu
GetNetTcpconnection with PowerShell Script Block
splunk_escu
HackTool - SharpView Execution
sigmahigh
Network Connection Discovery With Arp
splunk_escu
Network Connection Discovery With Netstat
splunk_escu
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious MS Office Child Process
elasticmedium
Suspicious System Commands Executed by Previously Unknown Executable
elasticlow
System Network Connections Discovery - Linux
sigmalow
System Network Connections Discovery - MacOs
sigmainformational
System Network Connections Discovery Via Net.EXE
sigmalow
Unusual Linux Network Connection Discovery
elasticlow
Use Get-NetTCPConnection
sigmalow
Use Get-NetTCPConnection - PowerShell Module
sigmalow
Windows Common Abused Cmd Shell Risk Behavior
splunk_escu
Windows Network Connection Discovery Via Net
splunk_escu
Windows Post Exploitation Risk Behavior
splunk_escu
Windows System Network Connections Discovery Netsh
splunk_escu