Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[1][2][3] Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof
can be used to list current connections. who -a
and w
can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. show ip sockets
, show tcp brief
).[4]
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: |
G0138 | Andariel |
Andariel has used the |
G0006 | APT1 |
APT1 used the |
G0022 | APT3 |
APT3 has a tool that can enumerate current network connections.[8][9][10] |
G0050 | APT32 |
APT32 used the |
G0082 | APT38 |
APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[12] |
G0096 | APT41 |
APT41 has enumerated IP addresses of network resources and used the |
G1023 | APT5 |
APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.[15] |
S0456 | Aria-body |
Aria-body has the ability to gather TCP and UDP table status listings.[16] |
S0638 | Babuk |
Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[17] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[18] |
S1081 | BADHATCH |
BADHATCH can execute |
S0089 | BlackEnergy |
BlackEnergy has gathered information about local network connections using netstat.[20][21] |
S0335 | Carbon | |
S0674 | CharmPower |
CharmPower can use |
G0114 | Chimera |
Chimera has used |
S0154 | Cobalt Strike |
Cobalt Strike can produce a sessions report from compromised hosts.[25] |
S0244 | Comnie | |
S0575 | Conti |
Conti can enumerate routine network connections from a compromised host.[27] |
S0488 | CrackMapExec |
CrackMapExec can discover active sessions for a targeted system.[28] |
S0625 | Cuba |
Cuba can use the function |
S0567 | Dtrack |
Dtrack can collect network and active connection information.[30] |
S0038 | Duqu |
The discovery modules used with Duqu can collect information on network connections.[31] |
G1006 | Earth Lusca |
Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log "Microsoft-Windows-TerminalServices-RDPClient/Operational"(Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.[32] |
S0554 | Egregor | |
S0363 | Empire |
Empire can enumerate the current network connections of a host.[34] |
S0091 | Epic |
Epic uses the |
G1016 | FIN13 |
FIN13 has used |
S0696 | Flagpro |
Flagpro has been used to execute |
C0007 | FunnyDream |
During FunnyDream, the threat actors used netstat to discover network connections on remote systems.[39] |
G0093 | GALLIUM |
GALLIUM used |
S0237 | GravityRAT |
GravityRAT uses the |
G1001 | HEXANE |
HEXANE has used netstat to monitor connections to specific ports.[42] |
S0283 | jRAT | |
G0004 | Ke3chang |
Ke3chang performs local network connection discovery using |
S0356 | KONNI | |
S1075 | KOPILUWAK |
KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.[47] |
S0236 | Kwampirs |
Kwampirs collects a list of active and listening connections by using the command |
G0032 | Lazarus Group |
Lazarus Group has used |
S0681 | Lizar |
Lizar has a plugin to retrieve information about all active network sessions on the infected server.[50] |
S0532 | Lucifer |
Lucifer can identify the IP and port numbers for all remote connections from the compromised host.[51] |
S0409 | Machete |
Machete uses the |
S1060 | Mafalda |
Mafalda can use the |
G0059 | Magic Hound |
Magic Hound has used quser.exe to identify existing RDP connections.[54] |
S0449 | Maze |
Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[55] |
G0045 | menuPass |
menuPass has used |
S0443 | MESSAGETAP |
After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. [57] |
G0069 | MuddyWater |
MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.[58] |
G0129 | Mustang Panda |
Mustang Panda has used |
S0102 | nbtstat |
nbtstat can be used to discover current NetBIOS sessions. |
S0039 | Net |
Commands such as |
S0104 | netstat |
netstat can be used to enumerate local network connections, including active TCP connections and other network statistics.[61] |
S0198 | NETWIRE |
NETWIRE can capture session logon details from a compromised host.[62] |
G0049 | OilRig |
OilRig has used |
S0439 | Okrum |
Okrum was seen using NetSess to discover NetBIOS sessions.[64] |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used the |
C0014 | Operation Wocao |
During Operation Wocao, threat actors collected a list of open connections on the infected system using |
S0165 | OSInfo |
OSInfo enumerates the current network connections similar to |
S1091 | Pacu |
Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.[67] |
S0013 | PlugX |
PlugX has a module for enumerating TCP and UDP network connections and associated processes using the |
G0033 | Poseidon Group |
Poseidon Group obtains and saves information about victim network interfaces and addresses.[69] |
S0378 | PoshC2 |
PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[70] |
S0184 | POWRUNER |
POWRUNER may collect active network connections by running |
S0192 | Pupy |
Pupy has a built-in utility command for |
S1032 | PyDCrypt |
PyDCrypt has used netsh to find RPC connections on remote machines.[73] |
S0650 | QakBot |
QakBot can use |
S0458 | Ramsay |
Ramsay can use |
S0241 | RATANKBA |
RATANKBA uses |
S0153 | RedLeaves |
RedLeaves can enumerate drives and Remote Desktop sessions.[78] |
S0125 | Remsec |
Remsec can obtain a list of active connections and open ports.[79] |
G0034 | Sandworm Team |
Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[80][81] |
S1085 | Sardonic |
Sardonic has the ability to execute the |
S0445 | ShimRatReporter |
ShimRatReporter used the Windows function |
S0063 | SHOTPUT | |
S0589 | Sibot |
Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[85] |
S0633 | Sliver | |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA can enumerate open ports on a victim machine.[87] |
S0374 | SpeakUp | |
S0018 | Sykipot |
Sykipot may use |
G0139 | TeamTNT |
TeamTNT has run |
G0027 | Threat Group-3390 |
Threat Group-3390 has used |
G1022 | ToddyCat |
ToddyCat has used |
S0678 | Torisma |
Torisma can use |
S0094 | Trojan.Karagany |
Trojan.Karagany can use netstat to collect a list of network connections.[95] |
G0081 | Tropic Trooper |
Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.[96] |
G0010 | Turla |
Turla surveys a system upon check-in to discover active local network connections using the |
S0452 | USBferry |
USBferry can use |
S0180 | Volgmer |
Volgmer can gather information about TCP connection state.[99] |
G1017 | Volt Typhoon |
Volt Typhoon has used |
S0579 | Waterbear |
Waterbear can use API hooks on |
S0251 | Zebrocy |
Zebrocy uses |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. |
DS0009 | Process | OS API Execution |
Monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
Process Creation |
Monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |