īlackEnergy has gathered information about local network connections using netstat.
īackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports. īabuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption. Īria-body has the ability to gather TCP and UDP table status listings. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions. ĪPT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. ĪPT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. ĪPT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine. ĪPT3 has a tool that can enumerate current network connections. ĪPT1 used the net use command to get a listing on network connections. Live Version Procedure Examples actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano > %temp%\download Īndariel has used the netstat -naop tcp command to display TCP connections on a victim's machine. who -a and w can be used to show which users are currently logged in, similar to "net session". In Mac and Linux, netstat and lsof can be used to list current connections. Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. Cloud providers may have different ways in which their virtual networks operate. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.Īn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected.
0 kommentar(er)
