Description
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.
Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) On ESXi servers, the command esxi network ip connection list can be used to list active network connections.(Citation: Sygnia ESXi Ransomware 2025)
Platforms
Threat Groups (32)
| ID | Group | Context |
|---|---|---|
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.(Ci... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used <code>net use</code> to conduct connectivity checks to machines.(Citation: PWC Cloud Hopper... |
| G0033 | Poseidon Group | [Poseidon Group](https://attack.mitre.org/groups/G0033) obtains and saves information about victim network interfaces and addresses.(Citation: Kaspers... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has run <code>netstat -anp</code> to search for rival malware connections.(Citation: Trend Micro Team... |
| G0138 | Andariel | [Andariel](https://attack.mitre.org/groups/G0138) has used the <code>netstat -naop tcp</code> command to display TCP connections on a victim's machine... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>netstat -ano</code> to determine network connection information.(Citation: Avira... |
| G0010 | Turla | [Turla](https://attack.mitre.org/groups/G0010) surveys a system upon check-in to discover active local network connections using the <code>netstat -an... |
| G0022 | APT3 | [APT3](https://attack.mitre.org/groups/G0022) has a tool that can enumerate current network connections.(Citation: Symantec Buckeye)(Citation: FireEye... |
| G0030 | Lotus Blossom | [Lotus Blossom](https://attack.mitre.org/groups/G0030) has used commands such as `netstat` to identify system network connections.(Citation: Cisco Lot... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has used `netstat -ano` on compromised hosts to enumerate network connections.(Citation: Joint ... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) had gathered user, IP address, and server data related to RDP sessions on a compromised host. I... |
| G1047 | Velvet Ant | [Velvet Ant](https://attack.mitre.org/groups/G1047) has enumerated existing network connections on victim devices.(Citation: Sygnia VelvetAnt 2024A) |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) used the <code>net use</code> command to get a listing on network connections.(Citation: Mandiant APT1) |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used <code>netstat -an</code> on a victim to get a listing of network connections.(Citation: Palo ... |
| G1022 | ToddyCat | [ToddyCat](https://attack.mitre.org/groups/G1022) has used `netstat -anop tcp` to discover TCP connections to compromised hosts.(Citation: Kaspersky T... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used quser.exe to identify existing RDP connections.(Citation: DFIR Report APT35 ProxyShell M... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used <code>netstat -ano | findstr EST</code> to discover network connections.(Citation: NCC Group... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used a PowerShell backdoor to check for Skype connections on the target machine.(Citation: Tre... |
| G0018 | admin@338 | [admin@338](https://attack.mitre.org/groups/G0018) actors used the following command following exploitation of a machine with [LOWBALL](https://attack... |
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) used <code>netstat -oan</code> to obtain information about the victim network connections.(Citation: ... |
Associated Software (60)
| ID | Name | Type | Context |
|---|---|---|---|
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can identify the IP and port numbers for all remote connections from the compromised host.(Citation... |
| S0094 | Trojan.Karagany | Malware | [Trojan.Karagany](https://attack.mitre.org/software/S0094) can use [netstat](https://attack.mitre.org/software/S0104) to collect a list of network con... |
| S0638 | Babuk | Malware | [Babuk](https://attack.mitre.org/software/S0638) can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryptio... |
| S0445 | ShimRatReporter | Tool | [ShimRatReporter](https://attack.mitre.org/software/S0445) used the Windows function <code>GetExtendedUdpTable</code> to detect connected UDP endpoint... |
| S0251 | Zebrocy | Malware | [Zebrocy](https://attack.mitre.org/software/S0251) uses <code>netstat -aon</code> to gather network connection information.(Citation: ESET Zebrocy May... |
| S0378 | PoshC2 | Tool | [PoshC2](https://attack.mitre.org/software/S0378) contains an implementation of [netstat](https://attack.mitre.org/software/S0104) to enumerate TCP an... |
| S0125 | Remsec | Malware | [Remsec](https://attack.mitre.org/software/S0125) can obtain a list of active connections and open ports.(Citation: Kaspersky ProjectSauron Technical ... |
| S0237 | GravityRAT | Malware | [GravityRAT](https://attack.mitre.org/software/S0237) uses the <code>netstat</code> command to find open ports on the victim’s machine.(Citation: Talo... |
| S0104 | netstat | Tool | [netstat](https://attack.mitre.org/software/S0104) can be used to enumerate local network connections, including active TCP connections and other netw... |
| S0356 | KONNI | Malware | [KONNI](https://attack.mitre.org/software/S0356) has used <code>net session</code> on the victim's machine.(Citation: Malwarebytes Konni Aug 2021) |
| S0488 | CrackMapExec | Tool | [CrackMapExec](https://attack.mitre.org/software/S0488) can discover active sessions for a targeted system.(Citation: CME Github September 2018) |
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) has used the "WNetOpenEnumW", "WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions... |
| S0241 | RATANKBA | Malware | [RATANKBA](https://attack.mitre.org/software/S0241) uses <code>netstat -ano</code> to search for specific IP address ranges.(Citation: RATANKBA) |
| S0335 | Carbon | Malware | [Carbon](https://attack.mitre.org/software/S0335) uses the <code>netstat -r</code> and <code>netstat -an</code> commands.(Citation: GovCERT Carbon May... |
| S0678 | Torisma | Malware | [Torisma](https://attack.mitre.org/software/S0678) can use `WTSEnumerateSessionsW` to monitor remote desktop connections.(Citation: McAfee Lazarus Nov... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can produce a sessions report from compromised hosts.(Citation: Talos Cobalt Strike September... |
| S0039 | Net | Tool | Commands such as <code>net use</code> and <code>net session</code> can be used in [Net](https://attack.mitre.org/software/S0039) to gather information... |
| S0089 | BlackEnergy | Malware | [BlackEnergy](https://attack.mitre.org/software/S0089) has gathered information about local network connections using [netstat](https://attack.mitre.o... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) can collect network and active connection information.(Citation: Securelist Dtrack) |
| S0091 | Epic | Malware | [Epic](https://attack.mitre.org/software/S0091) uses the <code>net use</code>, <code>net session</code>, and <code>netstat</code> commands to gather i... |
References
- Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019.
- Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). What is Azure Virtual Network?. Retrieved October 6, 2019.
- Google. (2019, September 23). Virtual Private Cloud (VPC) network overview. Retrieved October 6, 2019.
- US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
- Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.
Frequently Asked Questions
What is T1049 (System Network Connections Discovery)?
T1049 is a MITRE ATT&CK technique named 'System Network Connections Discovery'. It belongs to the Discovery tactic(s). Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An...
How can T1049 be detected?
Detection of T1049 (System Network Connections Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1049?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1049?
Known threat groups using T1049 include: APT38, menuPass, Poseidon Group, TeamTNT, Andariel, Mustang Panda, Turla, APT3.