Skip to content

Latest commit

 

History

History
86 lines (42 loc) · 2.5 KB

T1049.md

File metadata and controls

86 lines (42 loc) · 2.5 KB

T1049 - System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)

Windows

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.

Mac and Linux

In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".

Atomic Tests


Atomic Test #1 - System Network Connections Discovery

Get a listing of network connections.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

netstat
net use
net sessions


Atomic Test #2 - System Network Connections Discovery with PowerShell

Get a listing of network connections.

Supported Platforms: Windows

Attack Commands: Run with powershell!

Get-NetTCPConnection


Atomic Test #3 - System Network Connections Discovery Linux & MacOS

Get a listing of network connections.

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

netstat
who -a