# T1049 System Network Connections Discovery

-----------------------------------------------------------------------

## Technique Description

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used.(Citation: US-CERT-TA18-106A)

## Technique Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands may also be used to gather system and network information with built-in features native to the network device platform.  Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

-----------------------------------------------------------------------

### Tactics:

  *   Discovery

### Platforms:

  * Windows

  * IaaS

  * Linux

  * macOS

  * Network

### Data Sources:

  * **Process:** OS API Execution

  * **Command:** Command Execution

  * **Process:** Process Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) runs <code>netstat -anp</code> to search for rival malware connections.(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used libprocesshider to modify <code>/etc/ld.so.preload</code>.(Citation: ATT TeamTNT Chimaera September 2020)| 
| Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used the <code>netstat -naop tcp</code> command to display TCP connections on a victim's machine.(Citation: Kaspersky Andariel Ransomware June 2021)| 
| BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has used NetCat and PortQry  to enumerate network connections and display the status of related TCP and UDP ports.(Citation: ESET BackdoorDiplomacy Jun 2021)| 
| Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>netstat -ano</code> to determine network connection information.(Citation: Avira Mustang Panda January 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.(Citation: FoxIT Wocao December 2019)| 
| Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>netstat -ano | findstr EST</code> to discover network connections.(Citation: NCC Group Chimera January 2021)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) has enumerated IP addresses of network resources and used the <code>netstat</code> command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)| 
| GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used <code>netstat -oan</code> to obtain information about the victim network connections.(Citation: Cybereason Soft Cell June 2019)| 
| APT38 | [APT38](https://attack.mitre.org/groups/G0082) installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.(Citation: FireEye APT38 Oct 2018)| 
| Tropic Trooper | [Tropic Trooper](https://attack.mitre.org/groups/G0081) has tested if the localhost network is available and other connection capability on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020)	| 
| MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connections on the target machine.(Citation: Trend Micro Muddy Water March 2021)| 
| APT32 | [APT32](https://attack.mitre.org/groups/G0050) used the <code>netstat -anpo tcp</code> command to display TCP connections on the victim's machine.(Citation: Cybereason Cobalt Kitty 2017)| 
| OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>netstat -an</code> on a victim to get a listing of network connections.(Citation: Palo Alto OilRig May 2016)| 
| menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used <code>net use</code> to conduct connectivity checks to machines.(Citation: PWC Cloud Hopper April 2017)| 
| Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018) | 
| Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) obtains and saves information about victim network interfaces and addresses.(Citation: Kaspersky Poseidon Group)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used <code>net use</code> to identify and establish a network connection with a remote host.(Citation: Kaspersky ThreatNeedle Feb 2021)| 
| Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim.(Citation: SecureWorks BRONZE UNION June 2017)| 
| APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate current network connections.(Citation: Symantec Buckeye)(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)| 
| admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command following exploitation of a machine with [LOWBALL](https://attack.mitre.org/software/S0042) malware to display network connections: <code>netstat -ano >> %temp%\download</code>(Citation: FireEye admin@338)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover active local network connections using the <code>netstat -an</code>, <code>net use</code>, <code>net file</code>, and <code>net session</code> commands.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) [Turla](https://attack.mitre.org/groups/G0010) RPC backdoors have also enumerated the IPv4 TCP connection table via the <code>GetTcpTable2</code> API call.(Citation: ESET Turla PowerShell May 2019)| 
| APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the <code>net use</code> command to get a listing on network connections.(Citation: Mandiant APT1)| 
| Ke3chang | [Ke3chang](https://attack.mitre.org/groups/G0004) performs local network connection discovery using <code>netstat</code>.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1049)

  * [Amazon Aws Vpc Guide](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html), Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019.

  * [Microsoft Azure Virtual Network Overview](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview), Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). What is Azure Virtual Network?. Retrieved October 6, 2019.

  * [Google Vpc Overview](https://cloud.google.com/vpc/docs/vpc), Google. (2019, September 23). Virtual Private Cloud (VPC) network overview. Retrieved October 6, 2019.

  * [Us-Cert-Ta18-106A](https://www.us-cert.gov/ncas/alerts/TA18-106A), US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use native windows utility commands to query the local system network connections.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

#### Turla 
- surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands. Turla RPC backdoors have also enumerated the IPv4 TCP connection table via the GetTcpTable2 API call.

## Detection Blindspots

- No known blindspots for finding adversaries usage of network connections discovery, however, false positive rate may be medium-high depending on user environment

## Analytical References

  * [Atomic Red Team T1049 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md)
  * [Investigating Powershell Command and Script Logging (crowdstrike)](https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/)
  * [Turla Powershell Usage 2019 (welivesecurity)](https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
- This technique is very similar to System Network Configuration Discovery (T1016) however the emphasis here is on detecting network connections.

#### Analytic 1

  * **Information:** Monitor processes and command-line arguments for actions that could be taken to gather system and network information.

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```Event_id : (1 or 5 or 4688 or 4689) Process.name : (netstat.exe or net.exe or net1.exe or nbtstat.exe or ping.exe or tracert.exe or pathping.exe or netsh.exe)```
  * **Query:** `Event_id : 4104 AND process.command.line : *get-NetTCPConnection*`

#### Analytic 2

  * **Information:** Identify processes being spawned by cmd or PS to identify native or non-native tools being used. 

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:**  Note command line parameters for greater sight into activity.

  * **Query:** ```Parent.process.name : cmd.exe or powershell.exe```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- SMB connections to external IPs can be an indicator of compromise

#### Analytic 1

  * **Information:** Identify internal to external RPC traffic

  * **Source:** PCAP

  * **Tool:** Arkime

  * **Notes:** 

  * **Query:** ```protocols == [rdp,smb,dcerpc] && ip.dst != <internal>```