Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Sigma rule (View on GitHub)
1title: Use Get-NetTCPConnection
2id: b366adb4-d63d-422d-8a2c-186463b5ded0
3status: test
4description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
7author: frack113
8date: 2021-12-10
9modified: 2023-10-27
10tags:
11 - attack.discovery
12 - attack.t1049
13logsource:
14 product: windows
15 category: ps_classic_start
16detection:
17 selection:
18 Data|contains: 'Get-NetTCPConnection'
19 condition: selection
20falsepositives:
21 - Unknown
22level: low
References
Related rules
- Cisco Discovery
- HackTool - SharpView Execution
- System Network Connections Discovery - Linux
- System Network Connections Discovery - MacOs
- System Network Connections Discovery Via Net.EXE