Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Field | Description |
|---|---|
| SuspiciousParentProcesses | Non-standard binaries launching PowerShell or netstat (e.g., winword.exe spawning powershell.exe). |
| TimeWindow | Correlates discovery behavior before lateral movement or credential access. |
| CommandPatternList | Regex or keyword patterns to match discovery utilities (e.g., `netstat`, `Get-NetTCPConnection`). |
Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Command Execution (DC0064) | linux:cli | command logging |
| Field | Description |
|---|---|
| UtilityNameList | List of binaries used for discovery (e.g., netstat, ss, lsof). |
| UserContextScope | Limit detection to non-administrative or service accounts performing enumeration. |
| ExecutionFrequencyThreshold | Unusual number of executions within a short time window. |
Detects shell-based enumeration of active connections using netstat, lsof -i, or AppleScript-based system discovery.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| ShellCommandWatchlist | Matches terminal commands like `lsof -i`, `netstat`, or scripts issued via Automator or AppleScript. |
| TerminalBinaryDenylist | Tracks execution of networking discovery tools by apps outside Terminal.app or iTerm. |
Detects shell or API usage of esxcli network ip connection list or netstat to enumerate ESXi host connections.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:hostd | command log |
| Field | Description |
|---|---|
| ExecutionOriginCheck | Detect commands executed outside normal management interfaces (e.g., SSH or root shell). |
| ExpectedAdminAccessWindow | Timeframe when host connection audits are expected (e.g., maintenance windows). |
Detects interactive or automated use of CLI commands like show ip sockets, show tcp brief, or SNMP queries for active sessions on routers/switches.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:cli | command logs |
| OS API Execution (DC0021) | snmp:trap | management queries |
| Field | Description |
|---|---|
| CommandPatternList | Monitors for known socket/session query strings. |
| PrivilegedUserCheck | Restrict detections to non-admin roles executing advanced queries. |
Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI).
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | AWS:CloudTrail | Describe* or List* API calls |
| Network Traffic Content (DC0085) | azure:activity | networkInsightsLogs |
| Field | Description |
|---|---|
| ServicePrincipalAllowlist | Allow certain automation roles to perform discovery during provisioning. |
| BurstQueryThreshold | Unusual number of Describe* or List* network API calls in a short timeframe. |