System Network Connections Discovery

Information

• Name: System Network Connections Discovery

• ID: T1049

• Tactics: TA0007

Introduction

System Network Connections Discovery is categorized under the MITRE ATT&CK framework as technique ID T1049. It involves adversaries enumerating network connections to identify communication channels, active connections, and network configurations. Attackers leverage this technique to understand the environment, discover potential pivot points, and identify targets for lateral movement, command-and-control communication, or data exfiltration.

Deep Dive Into Technique

This technique entails adversaries collecting detailed information about network connections established by the compromised host. Technical execution methods and mechanisms include:

• Native Operating System Commands:

  • Windows:

    • netstat: Displays active TCP/UDP connections, listening ports, and routing tables.

      • Example: netstat -ano lists connections with associated Process IDs (PIDs).

    • Get-NetTCPConnection (PowerShell): Provides detailed network connection information.

      • Example: Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess

  • Linux/Unix:

    • netstat: Lists network connections, routing tables, and interface statistics.

      • Example: netstat -tulnp shows TCP and UDP listening ports with associated processes.

    • ss: Utility replacing netstat, showing socket statistics.

      • Example: ss -tulnp provides detailed socket information.

    • lsof: Lists open files, including network sockets.

      • Example: lsof -i -P -n lists network connections with numeric addresses.

• Custom Scripts and Tools:

  • Adversaries may leverage custom scripts (Python, Bash, PowerShell) to automate enumeration of network connections.

  • Third-party utilities or penetration testing tools such as Sysinternals' TCPView (Windows) or CurrPorts can also be utilized.

• API Calls and System Libraries:

  • Calling system libraries or APIs (e.g., Windows API calls like GetExtendedTcpTable) to gather network connection data programmatically.

Real-world procedures often involve adversaries integrating these enumeration methods into reconnaissance scripts or implant functionalities, providing continuous visibility into network activities for further exploitation.

When this Technique is Usually Used

Adversaries commonly utilize System Network Connections Discovery in various stages and scenarios:

• Initial Reconnaissance:

  • Early-stage enumeration post-compromise to understand the network landscape.

  • Identifying active connections to critical infrastructure, database servers, or domain controllers.

• Privilege Escalation and Persistence:

  • Determining active connections to identify privileged accounts or administrative services.

  • Establishing persistent footholds by identifying stable network communication channels.

• Lateral Movement:

  • Identifying adjacent hosts or services for lateral movement within the compromised network.

  • Mapping internal network topology to facilitate lateral propagation.

• Command and Control (C2):

  • Verifying established C2 channels and identifying potential detection or monitoring mechanisms.

  • Adjusting C2 infrastructure based on discovered network defenses.

• Data Exfiltration:

  • Identifying outbound connections or permitted communication paths for stealthy data exfiltration.

How this Technique is Usually Detected

Detection methodologies and tools for identifying System Network Connections Discovery include:

• Endpoint Detection and Response (EDR) Solutions:

  • Monitoring execution of network enumeration commands (netstat, ss, lsof) and scripts.

  • Detecting unusual or frequent invocation of network diagnostic tools.

• Process and Command-line Monitoring:

  • Monitoring command-line arguments for suspicious or unusual usage patterns:

    • For example, unexpected execution of netstat -ano, ss -tulnp, or lsof -i.

  • Logging and analyzing PowerShell command usage related to network discovery (Get-NetTCPConnection).

• Behavioral Analytics and Anomaly Detection:

  • Identifying abnormal spikes or patterns in network enumeration activities.

  • Detecting enumeration from unusual user accounts or during off-hours.

• Network Traffic Analysis:

  • Monitoring for anomalous network scanning behaviors originating from internal hosts.

  • Identifying suspicious outbound or lateral connection attempts following enumeration activities.

• Specific Indicators of Compromise (IoCs):

  • Suspicious command execution logs (netstat, ss, lsof commands executed by unusual users).

  • Presence of scripts or binaries designed specifically for network enumeration.

  • Unusual process creation events involving network diagnostic tools.

Why it is Important to Detect This Technique

Early detection of System Network Connections Discovery is critical due to the following potential impacts:

• Early-stage Reconnaissance Detection:

  • Identifying reconnaissance activities early can prevent further exploitation and lateral movement.

  • Enables proactive mitigation before attackers escalate privileges or exfiltrate sensitive data.

• Preventing Lateral Movement:

  • Detection of enumeration activities can reveal attempted or planned lateral movement.

  • Allows security teams to isolate affected hosts and limit attack spread.

• Reducing Data Exfiltration Risks:

  • Identifying enumeration of outbound connections can prevent stealthy data exfiltration attempts.

  • Early detection allows implementation of stricter network controls and monitoring.

• Maintaining Operational Integrity:

  • Preventing adversaries from mapping critical infrastructure reduces the risk of targeted disruption or sabotage.

  • Preserves confidentiality, integrity, and availability (CIA) of sensitive systems and data.

• Improving Response Efficiency:

  • Early identification of reconnaissance activities provides actionable intelligence for incident response teams.

  • Enables more effective containment, eradication, and recovery efforts.

Examples

Real-world incidents and attack scenarios involving System Network Connections Discovery include:

• APT29 (Cozy Bear) Operations:

  • Leveraged native Windows commands (netstat) and PowerShell scripts (Get-NetTCPConnection) to enumerate network connections within compromised environments.

  • Utilized this information to identify domain controllers, critical servers, and lateral movement targets.

• FIN7 Cybercrime Group:

  • Employed custom PowerShell scripts and utilities to enumerate network connections on compromised point-of-sale systems.

  • Identified internal communication paths and sensitive data repositories for subsequent exfiltration.

• TrickBot Malware Campaigns:

  • Included modules specifically designed to enumerate network connections and identify domain controllers or financial systems within targeted networks.

  • Used gathered network information to facilitate lateral movement, privilege escalation, and data theft.

• Ryuk Ransomware Attacks:

  • Attackers executed network enumeration commands (netstat, lsof, ss) to map internal networks and identify backup servers or critical infrastructure.

  • Information obtained facilitated targeted ransomware deployment and maximized operational disruption.

• Red Team Engagements and Penetration Testing:

  • Penetration testers frequently utilize network enumeration tools (netstat, ss, lsof) to map internal network topology and identify pivot points.

  • These controlled assessments demonstrate real-world applicability and importance of detecting such enumeration activities.

In these examples, adversaries and testers employed various native commands, custom scripts, and specialized malware modules to perform detailed network connection discovery. Such actions facilitated subsequent attack phases, emphasizing the critical importance of timely detection and response.