Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.===Windows===
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
===Mac and Linux ===
In Mac and Linux,
netstatandlsofcan be used to list current connections.who -aandwcan be used to show which users are currently logged in, similar to "net session".Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
Platforms: Linux, macOS, Windows
Data Sources: Process command-line parameters, Process monitoring
Permissions Required: User, Administrator
-
Atomic Test #2 - System Network Connections Discovery with PowerShell
-
Atomic Test #3 - System Network Connections Discovery Linux & MacOS
Get a listing of network connections.
Supported Platforms: Windows
netstat
net use
net sessions
Get a listing of network connections.
Supported Platforms: Windows
Get-NetTCPConnection
Get a listing of network connections.
Supported Platforms: Linux, macOS
netstat
who -a