Use Get-NetTCPConnection - PowerShell Module

Aug 12, 2024 · attack.discovery attack.t1049 ·

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Sigma rule (View on GitHub)

 1title: Use Get-NetTCPConnection - PowerShell Module
 2id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
 3status: test
 4description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
 7author: frack113
 8date: 2021-12-10
 9modified: 2022-12-02
10tags:
11    - attack.discovery
12    - attack.t1049
13logsource:
14    product: windows
15    category: ps_module
16    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
17detection:
18    selection:
19        ContextInfo|contains: 'Get-NetTCPConnection'
20    condition: selection
21falsepositives:
22    - Unknown
23level: low

References

atomic-red-team/atomics/T1049/T1049.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Use Get-NetTCPConnection - PowerShell Module

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1049/T1049.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules