Lucifer can identify the IP and port numbers for all remote connections from the compromised host. Lizar has a plugin to retrieve information about all active network sessions on the infected server. Lazarus Group has used net use to identify and establish a network connection with a remote host. Kwampirs collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use. KONNI has used net session on the victim's machine. Ke3chang performs local network connection discovery using netstat. GravityRAT uses the netstat command to find open ports on the victim’s machine. GALLIUM used netstat -oan to obtain information about the victim network connections. įlagpro has been used to execute netstat -ano on a compromised host. Įpic uses the net use, net session, and netstat commands to gather information on network connections. Įmpire can enumerate the current network connections of a host. Įgregor can enumerate all connected drives. The discovery modules used with Duqu can collect information on network connections. ĭtrack can collect network and active connection information. Ĭuba can use the function GetIpNetTable to recover the last connections to the victim's machine. ĬrackMapExec can discover active sessions for a targeted system. Ĭonti can enumerate routine network connections from a compromised host. Ĭomnie executes the netstat -ano command. Ĭobalt Strike can produce a sessions report from compromised hosts. Ĭhimera has used netstat -ano | findstr EST to discover network connections. ĬharmPower can use netsh wlan show profiles to list specific Wi-Fi profile details. Ĭarbon uses the netstat -r and netstat -an commands. īlackEnergy has gathered information about local network connections using netstat. īackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports. īabuk can use "WNetOpenEnumW" and "WNetEnumResourceW" to enumerate files in network resources for encryption. Īria-body has the ability to gather TCP and UDP table status listings. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions. ĪPT41 has enumerated IP addresses of network resources and used the netstat command as part of network reconnaissance. ĪPT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system. ĪPT32 used the netstat -anpo tcp command to display TCP connections on the victim's machine. ĪPT3 has a tool that can enumerate current network connections. ĪPT1 used the net use command to get a listing on network connections. Live Version Procedure Examples actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano > %temp%\download Īndariel has used the netstat -naop tcp command to display TCP connections on a victim's machine. Additionally, built-in features native to network devices and Network Device CLI may be used. who -a and w can be used to show which users are currently logged in, similar to "net session". In Mac and Linux, netstat and lsof can be used to list current connections. Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services. Cloud providers may have different ways in which their virtual networks operate. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.Īn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |