T1049

System Network Connections Discovery

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection.

Microsoft Sentinel / Defender

kusto

let NetworkDiscoveryCommands = dynamic([
  "netstat", "net use", "net session", "net view",
  "lsof", "who", "ss ", "nmap",
  "Get-NetTCPConnection", "Get-NetUDPEndpoint",
  "WNetOpenEnum", "WNetEnumResource",
  "show ip sockets", "show tcp brief"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe",
  "msbuild.exe", "InstallUtil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "netstat.exe" and ProcessCommandLine has_any ("-ano", "-an", "-aon", "-naop", "-anp"))
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "netstat"))
  )
| extend IsNetstat = FileName =~ "netstat.exe"
| extend IsNetUse = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "use"
| extend IsNetSession = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "session"
| extend IsPSNetQuery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend SuspicionScore = toint(SuspiciousParent) + toint(IsNetstat) + toint(IsNetSession)
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsNetstat, IsNetUse, IsNetSession, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by Timestamp desc

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets
Software installers and update agents that enumerate network sessions before performing operations
Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLine=lower(CommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval IsNetstat=if(match(Image, "netstat\.exe") AND match(CommandLine, "(-ano|-an|-aon|-naop|-anp)"), 1, 0)
| eval IsNetUse=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\buse\b"), 1, 0)
| eval IsNetSession=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\bsession\b"), 1, 0)
| eval IsNetView=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\bview\b"), 1, 0)
| eval IsPSNetQuery=if(match(Image, "(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(get-nettcpconnection|get-netudpendpoint|netstat)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe|msbuild\.exe)"), 1, 0)
| eval SuspicionScore=IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort - _time

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets
Software installers and update agents that enumerate network sessions before performing operations
Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  QIDNAME(qid) AS EventName,
  "ProcessPath" AS ProcessImage,
  "ProcessCommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentImage,
  CASE
    WHEN LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %' OR "ProcessCommandLine" LIKE '%-aon%') THEN 1 ELSE 0
  END AS IsNetstat,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%') THEN 1 ELSE 0
  END AS IsNetUseOrSession,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%') THEN 1 ELSE 0
  END AS IsPSNetQuery,
  CASE
    WHEN LOWER("ParentProcessPath") LIKE ANY ('%powershell.exe', '%wscript.exe', '%cscript.exe', '%mshta.exe', '%rundll32.exe', '%regsvr32.exe', '%wmic.exe', '%msbuild.exe') THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND ("EventID" = '4688' OR "EventID" = '1')
  AND LONG(starttime) > LONG(NOW()) - 86400000
  AND (
    (LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %'))
    OR ((LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%' OR LOWER("ProcessCommandLine") LIKE '% view%'))
    OR ((LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%' OR LOWER("ProcessCommandLine") LIKE '%netstat%'))
  )
ORDER BY starttime DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Sysmon via Universal DSM

Required Tables

events

False Positives

Automated configuration management tools (Ansible, Puppet, Chef) executing net session or netstat as part of inventory collection
SIEM agents or endpoint detection products that use netstat internally to enumerate connections for reporting
Developers running PowerShell Get-NetTCPConnection during local debugging or network application testing

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse field=EventID "*" as event_id
| where event_id in ("1", "4688")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| eval cmd_line = toLowerCase(cmd_line)
| eval image_lower = toLowerCase(image_path)
| eval parent_lower = toLowerCase(parent_image)
| eval IsNetstat = if(matches(image_lower, ".*netstat\.exe") and matches(cmd_line, ".*(\-ano|\-an |\-aon|\-naop|\-anp).*"), 1, 0)
| eval IsNetUse = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\buse\b.*"), 1, 0)
| eval IsNetSession = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bsession\b.*"), 1, 0)
| eval IsNetView = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bview\b.*"), 1, 0)
| eval IsPSNetQuery = if(matches(image_lower, ".*(powershell|pwsh)\.exe") and matches(cmd_line, ".*(get-nettcpconnection|get-netudpendpoint|netstat).*"), 1, 0)
| eval SuspiciousParent = if(matches(parent_lower, ".*(powershell|wscript|cscript|mshta|rundll32|regsvr32|wmic|msbuild)\.exe"), 1, 0)
| eval SuspicionScore = IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + SuspiciousParent
| where SuspicionScore > 0
| fields _messagetime, Computer, User, image_path, cmd_line, parent_image, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by _messagetime desc

medium severity high confidence

Data Sources

Windows Event Log via Installed Collector Sysmon via Sumo Logic Windows Agent

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Endpoint backup or imaging solutions that enumerate active connections before suspending I/O
Network performance monitoring tools running as scheduled tasks using netstat or ss for baseline collection
PowerShell DSC (Desired State Configuration) scripts that check network state as part of system compliance checks

Google Chronicle / SecOps

yaral

rule T1049_SystemNetworkConnectionsDiscovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1049 network connection discovery via netstat, net use/session/view, and PowerShell network enumeration cmdlets. High-fidelity signal when combined with suspicious parent process."
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1049"
    reference = "https://attack.mitre.org/techniques/T1049/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $image

    (
      // netstat with enumeration flags
      (
        re.regex($image, `(?i).*netstat\.exe$`) and
        re.regex($cmdline, `(?i).*(\-ano|\-an |\-aon|\-naop|\-anp).*`)
      ) or
      // net.exe / net1.exe discovery commands
      (
        re.regex($image, `(?i).*net1?\.exe$`) and
        re.regex($cmdline, `(?i)\b(use|session|view)\b`)
      ) or
      // PowerShell network enumeration
      (
        re.regex($image, `(?i).*(powershell|pwsh)\.exe$`) and
        re.regex($cmdline, `(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|netstat)`)
      ) or
      // Linux ss command
      (
        re.regex($image, `(?i).*/ss$`) and
        re.regex($cmdline, `(?i)-(anp|tulnp|tunap)`)
      ) or
      // Linux lsof for network
      (
        re.regex($image, `(?i).*/lsof$`) and
        re.regex($cmdline, `(?i)-(i|nP)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Chronicle UDM Events Google Cloud Chronicle SIEM Forwarder-ingested Windows Event Logs Linux Auditd via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

System health check scripts deployed by operations teams that run netstat at regular intervals to monitor connection counts
Security tools performing automated asset discovery that enumerate connections via PowerShell cmdlets across the fleet
Developers on engineering workstations using lsof -i or ss -anp while debugging networked applications locally

CrowdStrike LogScale (CQL)

cql

#repo=base_sensor #event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(netstat\.exe|net\.exe|net1\.exe|powershell\.exe|pwsh\.exe|ss|lsof)$/
| eval IsNetstat = if(match(ImageFileName, /(?i)netstat\.exe/) AND match(CommandLine, /(?i)(\-ano|\-an |\-aon|\-naop|\-anp)/), 1, 0)
| eval IsNetUse = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\buse\b/), 1, 0)
| eval IsNetSession = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\bsession\b/), 1, 0)
| eval IsNetView = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\bview\b/), 1, 0)
| eval IsPSNetQuery = if(match(ImageFileName, /(?i)(powershell|pwsh)\.exe/) AND match(CommandLine, /(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|netstat)/), 1, 0)
| eval IsLinuxNetEnum = if(match(ImageFileName, /(?i)(\bss\b|lsof)/) AND match(CommandLine, /(?i)(\-anp|\-tulnp|\-tunap|\-i |\-nP)/), 1, 0)
| eval SuspiciousParent = if(match(ParentBaseFileName, /(?i)(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe|msbuild\.exe)/), 1, 0)
| eval SuspicionScore = IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + IsLinuxNetEnum + SuspiciousParent
| where SuspicionScore > 0
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, IsLinuxNetEnum, SuspiciousParent, SuspicionScore
| sort timestamp desc

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Data Replicator (FDR) Humio/LogScale via Falcon SIEM Connector

Required Tables

#repo=base_sensor #event_simpleName=ProcessRollup2

False Positives

Falcon Insight itself or third-party EDR tooling running netstat periodically to build process-to-network mapping baselines
IT automation pipelines (Ansible playbooks, SCCM task sequences) that audit active sessions via net session before pushing patches
Penetration testers or red team operators operating within authorized engagement windows on production-connected hosts

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1049 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Network Connections Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections