System Network Connections Discovery (T1049) is a MITRE ATT&CK technique in the Discovery tactic. SOC analysts detect it by monitoring for XDR, SIEM events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. An adversary who gains access to a system may want to know all network connections currently established on the system or all listening services and their associated ports. This information helps attackers understand the network topology, identify communication paths to other systems, discover management interfaces and their protocols, and find active sessions belonging to privileged users that can be hijacked. Network connection data reveals which services are actively communicating, what external systems the compromised host talks to, and which internal systems are accessible from the current position. Tools used for network connection discovery include netstat.exe on Windows, ss and netstat on Linux, and PowerShell cmdlets like Get-NetTCPConnection.
“System Network Connections Discovery is documented as technique T1049 in the MITRE ATT&CK knowledge base under the Discovery tactic. Detection requires visibility into XDR, SIEM telemetry.”
Detection Strategies
The following detection strategies help SOC analysts identify System Network Connections Discovery activity. These methods apply across XDR, SIEM environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
1
Monitor for execution of network connection enumeration commands including netstat -ano, netstat -b, Get-NetTCPConnection, and ss -tulpn from non-administrative accounts or from processes that do not normally query network state.
2
Alert on network connection discovery commands executed in rapid succession with system information and process discovery commands, as this combination indicates comprehensive post-compromise reconnaissance rather than isolated administrative activity.
3
Detect automated querying of network connection state at high frequency, as post-exploitation frameworks perform continuous network state monitoring to track changes in active sessions and identify opportunities for lateral movement.
4
Monitor for scripts or tools enumerating listening services and their port numbers, as attackers use this information to identify locally running services that can be exploited for privilege escalation or used as pivot points.
5
Track access to routing table information using route print and netstat -r, which attackers examine to understand network segmentation and identify routes to restricted network segments not directly accessible from the current position.
Example Alerts
These realistic alert examples show what System Network Connections Discovery looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
MediumXDR
Network State Enumeration as Part of Reconnaissance Chain
Command execution sequence detected on compromised server: ipconfig /all, arp -a, netstat -ano, and route print executed within 45 seconds by a PowerShell process. This systematic collection of network configuration, connection state, and routing information provides a complete picture of the server network posture and reachable network segments. The sequence is a standard post-exploitation reconnaissance pattern used to plan subsequent lateral movement.
HighSIEM
Active Session Hijacking Preceded by Connection Discovery
Network connection enumeration via netstat detected an active administrator RDP session originating from internal management server. The attacker then used the discovered session information to perform RDP session hijacking using tscon.exe to take over the active administrator session without requiring credentials. The discovery step was critical to identifying the active privileged session available for hijacking.
LowXDR
Listening Service Enumeration for Lateral Movement Planning
netstat -ano command output captured by EDR telemetry on workstation WS-DEV-023, showing all established connections and listening services including local SSH daemon on port 22, a local web application on port 8080, and database connections to internal DB servers. This enumeration of locally running services and their destination IPs provides the attacker with a map of accessible internal services that are otherwise not directly reachable from their initial access point.
Practice Detecting System Network Connections Discovery
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including System Network Connections Discovery. Build detection skills with zero consequences — free forever.
How do SOC analysts detect System Network Connections Discovery?
SOC analysts detect System Network Connections Discovery (T1049) by monitoring XDR, SIEM telemetry for behavioral anomalies and specific indicators. Key detection methods include monitor for execution of network connection enumeration commands including netstat -ano, netstat -b, get-nettcpconnection, and ss -tulpn from non-admi. SOCSimulator provides hands-on practice detecting this technique with realistic alerts.
What security tools are used to detect System Network Connections Discovery?
System Network Connections Discovery can be detected using XDR, SIEM platforms. XDR tools are particularly effective for this technique because they provide visibility into the discovery phase of the attack chain. SOCSimulator simulates all three tool types for hands-on training.
How common is System Network Connections Discovery in real-world attacks?
System Network Connections Discovery is a well-documented MITRE ATT&CK technique in the Discovery tactic. It appears in threat intelligence reports from multiple security vendors and has been observed in campaigns by various threat actor groups. SOCSimulator includes realistic System Network Connections Discovery scenarios based on documented attack patterns, helping analysts build detection intuition.
Can I practice detecting System Network Connections Discovery for free?
Yes. SOCSimulator offers free forever access to training scenarios, including Discovery techniques like System Network Connections Discovery. You can investigate realistic alerts in guided Operations rooms, build detection skills with SIEM, XDR, and Firewall interfaces, and test yourself under pressure in Shift Mode. No credit card required.