Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Sigma rule (View on GitHub)
1title: Use Get-NetTCPConnection - PowerShell Module
2id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1
3status: test
4description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
7author: frack113
8date: 2021/12/10
9modified: 2022/12/02
10tags:
11 - attack.discovery
12 - attack.t1049
13logsource:
14 product: windows
15 category: ps_module
16 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
17detection:
18 selection:
19 ContextInfo|contains: 'Get-NetTCPConnection'
20 condition: selection
21falsepositives:
22 - Unknown
23level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- System Network Connections Discovery - Linux
- System Network Connections Discovery - MacOs
- Active Directory Group Enumeration With Get-AdGroup
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Discovery Using AzureHound