Network Connection Enumeration

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat[1], in conjunction with System Firmware, then they can determine the role of certain devices on the network [2]. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

ID: T0840
Sub-techniques:  No sub-techniques
Tactic: Discovery
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
S0605 EKANS

EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. [3]

S0604 Industroyer

Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. [4]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0005 Intelligent Electronic Device (IED)
A0012 Jump Host
A0003 Programmable Logic Controller (PLC)
A0004 Remote Terminal Unit (RTU)
A0010 Safety Controller
A0011 Virtual Private Network (VPN) Server
A0001 Workstation

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective

Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

DS0009 Process OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see System Network Configuration Discovery and System Network Connections Discovery.

Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

DS0012 Script Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

References