T1049 System Network Connections Discovery Mappings

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
intel-tdt Intel Threat Detection Technology CrowdStrike AMS T1049 System Network Connections Discovery
Comments
Intel Threat Detection Technology (TDT), in combination with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), bolsters cybersecurity defenses by enabling faster, real-time detection of System Network Connection Discovery attacks. This integrated solution enhances CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain, all while maintaining minimal system performance impact. System Network Connection Discovery techniques are used by attackers to map out network connections and identify systems or services they can potentially exploit. These techniques often involve discovering active network connections, open ports, or remote services that can be leveraged for lateral movement or privilege escalation. Attackers may scan a network to identify targets or vulnerable systems that they can compromise, and later exfiltrate data or further infiltrate the environment.
References