This site has been deprecated in favor of https://attack.mitre.org and will remain in place until 11/1/22.

Network Connection Enumeration

From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to https://attack.mitre.org/techniques/T0840

Network Connection Enumeration
Technique
ID T0840
Tactic Discovery
Data Sources Command: Command Execution, Process: OS API Execution, Process: Process Creation
Asset Human-Machine Interface

Description

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network 1. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.


Procedure Examples

  • EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system.2
  • Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks.3

Mitigations


References

  1. ^  MITRE. (n.d.). System Network Connections Discovery. Retrieved May 31, 2018.
  2. ^  Ben Hunter and Fred Gutierrez. (2020, July 01). EKANS Ransomware Targeting OT ICS Systems. Retrieved April 12, 2021.
  1. ^  Anton Cherepanov, ESET. (2017, June 12). Win32/Industroyer: A new threat for industrial control systems. Retrieved September 15, 2017.



v · d · e
Adversary Techniques
Initial Access
Execution
Persistence
Evasion
Discovery
Lateral Movement
Collection
Inhibit Response Function
Impair Process Control
Impact


Retrieved from "https://collaborate.mitre.org/attackics/index.php?title=Technique/T0840&oldid=9705"