Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat[1], in conjunction with System Firmware, then they can determine the role of certain devices on the network [2]. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.
| ID | Name | Description |
|---|---|---|
| S0605 | EKANS |
EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. [3] |
| S0604 | Industroyer |
Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. [4] |
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective |
Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig). |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |
| DS0009 | Process | OS API Execution |
Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery. |
| Process Creation |
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
||
| DS0012 | Script | Script Execution |
Monitor for any suspicious attempts to enable script execution on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |