System Network Connections Discovery, Technique T1049 - Enterprise (original) (raw)
During the 2025 Poland Wiper Attacks, the adversaries identified network connections utilizing netstat -nao and netstat -r.[6]
admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download[7]
Andariel has used the netstat -naop tcp command to display TCP connections on a victim's machine.[8]
Anthropic AI-orchestrated Campaign
During the Anthropic AI-orchestrated Campaign, the adversary used Claude Code to map internal network architecture and access relationships.[9]
APT1 used the net use command to get a listing on network connections.[10]
APT3 has a tool that can enumerate current network connections.[11][12][13]
APT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine.[14]
APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.[15]
APT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.[16][17]
APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.[18]
Aria-body has the ability to gather TCP and UDP table status listings.[19]
Babuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption.[20]
BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[21]
BADHATCH can execute netstat.exe -f on a compromised machine.[22]
BlackEnergy has gathered information about local network connections using netstat.[23][24]
Carbon uses the netstat -r and netstat -an commands.[25]
Chimera has used netstat -ano | findstr EST to discover network connections.[26]
Cobalt Strike can produce a sessions report from compromised hosts.[27]
Comnie executes the netstat -ano command.[28]
Conti can enumerate routine network connections from a compromised host.[29]
CrackMapExec can discover active sessions for a targeted system.[30]
Cuba can use the function GetIpNetTable to recover the last connections to the victim's machine.[31]
Dtrack can collect network and active connection information.[32]
The discovery modules used with Duqu can collect information on network connections.[33]
Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log "Microsoft-Windows-TerminalServices-RDPClient/Operational"
(Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.[34]
Egregor can enumerate all connected drives.[35]
Empire can enumerate the current network connections of a host.[36]
Epic uses the net use, net session, and netstat commands to gather information on network connections.[37][38]
FIN13 has used netstat and other net commands for network reconnaissance efforts.[39]
Flagpro has been used to execute netstat -ano on a compromised host.[40]
FRP can use a dashboard and U/I to display the status of connections from the FRP client and server.[41]
During FunnyDream, the threat actors used netstat to discover network connections on remote systems.[42]
GALLIUM used netstat -oan to obtain information about the victim network connections.[43]
GravityRAT uses the netstat command to find open ports on the victim’s machine.[44]
HEXANE has used netstat to monitor connections to specific ports.[45]
INC Ransom has used RDP to test network connections.[46]
jRAT can list network connections.[47]
Ke3chang performs local network connection discovery using netstat.[48][49]
KONNI has used net session on the victim's machine.[50]
KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.[51]
Kwampirs collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use.[52]
Lazarus Group has used net use to identify and establish a network connection with a remote host.[53]
Lizar has a plugin to retrieve information about all active network sessions on the infected server.[54]
Lotus Blossom has used commands such as netstat to identify system network connections.[55]
Lucifer can identify the IP and port numbers for all remote connections from the compromised host.[56]
LunarWeb can enumerate system network connections.[57]
Mafalda can use the GetExtendedTcpTable function to retrieve information about established TCP connections.[58]
Magic Hound has used quser.exe to identify existing RDP connections.[59]
Maze has used the "WNetOpenEnumW", "WNetEnumResourceW", "WNetCloseEnum" and "WNetAddConnection2W" functions to enumerate the network resources on the infected machine.[60]
menuPass has used net use to conduct connectivity checks to machines.[61]
After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. [62]
MuddyWater has used a PowerShell backdoor to check for Skype connections on the target machine.[63]
Mustang Panda has used netstat -ano to determine network connection information.[64]
nbtstat can be used to discover current NetBIOS sessions.
Commands such as net use and net session can be used in Net to gather information about network connections from a particular host.[65]
netstat can be used to enumerate local network connections, including active TCP connections and other network statistics.[66]
NETWIRE can capture session logon details from a compromised host.[67]
OilRig has used netstat -an on a victim to get a listing of network connections.[68]
Okrum was seen using NetSess to discover NetBIOS sessions.[69]
During Operation CuckooBees, the threat actors used the net session, net use, and netstat commands as part of their advanced reconnaissance.[70]
During Operation Wocao, threat actors collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.[71]
OSInfo enumerates the current network connections similar to net use.[11]
Once inside a Virtual Private Cloud, Pacu can attempt to identify DirectConnect, VPN, or VPC Peering.[72]
PlugX has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.[73]
Poseidon Group obtains and saves information about victim network interfaces and addresses.[74]
PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[75]
POWRUNER may collect active network connections by running netstat -an on a victim.[76]
PUBLOAD has used several commands executed in sequence via cmd in a short interval to gather information on network connections.[77]
Pupy has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.[78]
PyDCrypt has used netsh to find RPC connections on remote machines.[79]
QakBot can use netstat to enumerate current network connections.[80][81]
Ramsay can use netstat to enumerate network connections.[82]
RATANKBA uses netstat -ano to search for specific IP address ranges.[83]
RedLeaves can enumerate drives and Remote Desktop sessions.[84]
Remsec can obtain a list of active connections and open ports.[85]
Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[86][87]
Sardonic has the ability to execute the netstat command.[88]
ShimRatReporter used the Windows function GetExtendedUdpTable to detect connected UDP endpoints.[89]
SHOTPUT uses netstat to list TCP connection status.[90]
Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.[91]
Sliver can collect network connection information.[92]
SLOTHFULMEDIA can enumerate open ports on a victim machine.[93]
SpeakUp uses the arp -a command. [94]
Sykipot may use netstat -ano to display active network connections.[95]
TeamTNT has run netstat -anp to search for rival malware connections.[96] TeamTNT has also used libprocesshider to modify /etc/ld.so.preload.[97]
Threat Group-3390 has used net use and netstat to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[98]
ToddyCat has used netstat -anop tcp to discover TCP connections to compromised hosts.[99]
Torisma can use WTSEnumerateSessionsW to monitor remote desktop connections.[100]
Trojan.Karagany can use netstat to collect a list of network connections.[101]
Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.[102]
Turla surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.[37][103] Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.[104]
USBferry can use netstat and nbtstat to detect active network connections.[102]
Velvet Ant has enumerated existing network connections on victim devices.[105]
Volgmer can gather information about TCP connection state.[106]
Volt Typhoon has used netstat -ano on compromised hosts to enumerate network connections.[107][108]
Waterbear can use API hooks on GetExtendedTcpTable to retrieve a table containing a list of TCP endpoints available to the application.[109]
Zebrocy uses netstat -aon to gather network connection information.[110]