πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
T1124: System Time Discovery
T1007: System Service Disvcovery
T1033: System Owner/User Directory
T1049: System Network Connections Discovery
T1016: System Network Configuration Discovery
T1082: System Information Discovery
T1518: Software Discovery
T1018: Remote System Discovery
T1012: Query Registry
T1057: Process Discovery
T1069: Permissions Groups Discovery
T1120: Peripheral Device Discovery
T1201: Password Policy Discovery
T1040: Network Sniffing
T1135: Network Share Discovery
T1046: Network Servie Scanning
T1083: File and Directory Discovery
T1486: Domain Trust Discovery
T1217: Browser Bookmark Discovery
T1010: Application Window Discovery
T1087: Account Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
T1049: System Network Connections Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.
Utilities and commands that acquire this information include netstat, "net use", and "net session" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. Who -a and w can be used to show which users are currently logged in, similar to "net session".
Example
Working with the netstat, net use and net session commands to discover connections
NetStat
Net use
Net sessions
Previous
T1033: System Owner/User Directory
Next
T1016: System Network Configuration Discovery
Last modified 1yr ago
Copy link