Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
In Mac and Linux,
netstat
andlsof
can be used to list current connections.who -a
andw
can be used to show which users are currently logged in, similar to "net session".
-
Atomic Test #2 - System Network Connections Discovery with PowerShell
-
Atomic Test #3 - System Network Connections Discovery Linux & MacOS
Get a listing of network connections.
Supported Platforms: Windows
netstat
net use
net sessions
Get a listing of network connections.
Supported Platforms: Windows
Get-NetTCPConnection
Get a listing of network connections.
Supported Platforms: Linux, macOS
netstat
who -a