Skip to content

Latest commit

 

History

History
63 lines (41 loc) · 1.82 KB

T1049.md

File metadata and controls

63 lines (41 loc) · 1.82 KB

T1049 - System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Windows

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.

Mac and Linux

In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session".

Atomic Tests


Atomic Test #1 - System Network Connections Discovery

Get a listing of network connections.

Supported Platforms: Windows

Run it with command_prompt!

netstat
net use
net sessions


Atomic Test #2 - System Network Connections Discovery with PowerShell

Get a listing of network connections.

Supported Platforms: Windows

Run it with powershell!

Get-NetTCPConnection


Atomic Test #3 - System Network Connections Discovery Linux & MacOS

Get a listing of network connections.

Supported Platforms: Linux, macOS

Run it with sh!

netstat
who -a