Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[1][2][3] Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof
can be used to list current connections. who -a
and w
can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used.[4]
ID | Name | Description |
---|---|---|
G0018 | admin@338 |
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: |
G0138 | Andariel |
Andariel has used the |
G0006 | APT1 |
APT1 used the |
G0022 | APT3 |
APT3 has a tool that can enumerate current network connections.[8][9][10] |
G0050 | APT32 |
APT32 used the |
G0082 | APT38 |
APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[12] |
G0096 | APT41 |
APT41 has enumerated IP addresses of network resources and used the |
S0456 | Aria-body |
Aria-body has the ability to gather TCP and UDP table status listings.[15] |
S0638 | Babuk |
Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[16] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[17] |
S0089 | BlackEnergy |
BlackEnergy has gathered information about local network connections using netstat.[18][19] |
S0335 | Carbon | |
S0674 | CharmPower |
CharmPower can use |
G0114 | Chimera |
Chimera has used |
S0154 | Cobalt Strike |
Cobalt Strike can produce a sessions report from compromised hosts.[23] |
S0244 | Comnie | |
S0575 | Conti |
Conti can enumerate routine network connections from a compromised host.[25] |
S0488 | CrackMapExec |
CrackMapExec can discover active sessions for a targeted system.[26] |
S0625 | Cuba |
Cuba can use the function |
S0567 | Dtrack |
Dtrack can collect network and active connection information.[28] |
S0038 | Duqu |
The discovery modules used with Duqu can collect information on network connections.[29] |
S0554 | Egregor | |
S0363 | Empire |
Empire can enumerate the current network connections of a host.[31] |
S0091 | Epic |
Epic uses the |
S0696 | Flagpro |
Flagpro has been used to execute |
G0093 | GALLIUM |
GALLIUM used |
S0237 | GravityRAT |
GravityRAT uses the |
S0283 | jRAT | |
G0004 | Ke3chang |
Ke3chang performs local network connection discovery using |
S0356 | KONNI | |
S0236 | Kwampirs |
Kwampirs collects a list of active and listening connections by using the command |
G0032 | Lazarus Group |
Lazarus Group has used |
S0681 | Lizar |
Lizar has a plugin to retrieve information about all active network sessions on the infected server.[43] |
S0532 | Lucifer |
Lucifer can identify the IP and port numbers for all remote connections from the compromised host.[44] |
S0409 | Machete |
Machete uses the |
S0449 | Maze |
Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[46] |
G0045 | menuPass |
menuPass has used |
S0443 | MESSAGETAP |
After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. [48] |
G0069 | MuddyWater |
MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.[49] |
G0129 | Mustang Panda |
Mustang Panda has used |
S0102 | nbtstat |
nbtstat can be used to discover current NetBIOS sessions. |
S0039 | Net |
Commands such as |
S0104 | netstat |
netstat can be used to enumerate local network connections, including active TCP connections and other network statistics.[52] |
S0198 | NETWIRE |
NETWIRE can capture session logon details from a compromised host.[53] |
G0049 | OilRig |
OilRig has used |
S0439 | Okrum |
Okrum was seen using NetSess to discover NetBIOS sessions.[55] |
G0116 | Operation Wocao |
Operation Wocao has collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.[56] |
S0165 | OSInfo |
OSInfo enumerates the current network connections similar to |
S0013 | PlugX |
PlugX has a module for enumerating TCP and UDP network connections and associated processes using the |
G0033 | Poseidon Group |
Poseidon Group obtains and saves information about victim network interfaces and addresses.[58] |
S0378 | PoshC2 |
PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[59] |
S0184 | POWRUNER |
POWRUNER may collect active network connections by running |
S0192 | Pupy |
Pupy has a built-in utility command for |
S0650 | QakBot |
QakBot can use |
S0458 | Ramsay |
Ramsay can use |
S0241 | RATANKBA |
RATANKBA uses |
S0153 | RedLeaves |
RedLeaves can enumerate drives and Remote Desktop sessions.[65] |
S0125 | Remsec |
Remsec can obtain a list of active connections and open ports.[66] |
G0034 | Sandworm Team |
Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[67][68] |
S0445 | ShimRatReporter |
ShimRatReporter used the Windows function |
S0063 | SHOTPUT | |
S0589 | Sibot |
Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[71] |
S0633 | Sliver | |
S0533 | SLOTHFULMEDIA |
SLOTHFULMEDIA can enumerate open ports on a victim machine.[73] |
S0374 | SpeakUp | |
S0018 | Sykipot |
Sykipot may use |
G0139 | TeamTNT |
TeamTNT runs |
G0027 | Threat Group-3390 |
Threat Group-3390 has used |
S0678 | Torisma |
Torisma can use |
S0094 | Trojan.Karagany |
Trojan.Karagany can use netstat to collect a list of network connections.[80] |
G0081 | Tropic Trooper |
Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.[81] |
G0010 | Turla |
Turla surveys a system upon check-in to discover active local network connections using the |
S0452 | USBferry |
USBferry can use |
S0180 | Volgmer |
Volgmer can gather information about TCP connection state.[84] |
S0579 | Waterbear |
Waterbear can use API hooks on |
S0689 | WhisperGate |
WhisperGate can enumerate connected remote logical drives.[86] |
S0251 | Zebrocy |
Zebrocy uses |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation |
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, Network Device CLI commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.