System Network Connections Discovery Via Net.EXE

Feb 12, 2024 · attack.discovery attack.t1049 ·

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Sigma rule (View on GitHub)

 1title: System Network Connections Discovery Via Net.EXE
 2id: 1c67a717-32ba-409b-a45d-0fb704a73a81
 3status: test
 4description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
 7author: frack113
 8date: 2021/12/10
 9modified: 2023/02/21
10tags:
11    - attack.discovery
12    - attack.t1049
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\net.exe'
20              - '\net1.exe'
21        - OriginalFileName:
22              - 'net.exe'
23              - 'net1.exe'
24    selection_cli:
25        - CommandLine|endswith:
26              - ' use'
27              - ' sessions'
28        - CommandLine|contains:
29              - ' use '
30              - ' sessions '
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: low

References

atomic-red-team/atomics/T1049/T1049.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

System Network Connections Discovery Via Net.EXE

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1049/T1049.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules