Which SIEM platforms have a T1049 detection rule?

df00tech provides T1049 (System Network Connections Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Network Connections Discovery (T1049)?

Detecting System Network Connections Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1049 detection?

The T1049 detection is rated low severity with medium confidence.

What are common false positives for T1049?

Common false positives for T1049 include: System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers; Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets; Software installers and update agents that enumerate network sessions before performing operations.

T1049

System Network Connections Discovery

Discovery Last updated: April 16, 2026

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection.

What is T1049 System Network Connections Discovery?

System Network Connections Discovery (T1049) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Network Connections Discovery, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint. The queries below are rated low severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Discovery
Technique: T1049 System Network Connections Discovery
Canonical reference: https://attack.mitre.org/techniques/T1049/

Microsoft Sentinel / Defender

kusto

let NetworkDiscoveryCommands = dynamic([
  "netstat", "net use", "net session", "net view",
  "lsof", "who", "ss ", "nmap",
  "Get-NetTCPConnection", "Get-NetUDPEndpoint",
  "WNetOpenEnum", "WNetEnumResource",
  "show ip sockets", "show tcp brief"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe",
  "msbuild.exe", "InstallUtil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "netstat.exe" and ProcessCommandLine has_any ("-ano", "-an", "-aon", "-naop", "-anp"))
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "netstat"))
  )
| extend IsNetstat = FileName =~ "netstat.exe"
| extend IsNetUse = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "use"
| extend IsNetSession = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "session"
| extend IsPSNetQuery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend SuspicionScore = toint(SuspiciousParent) + toint(IsNetstat) + toint(IsNetSession)
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsNetstat, IsNetUse, IsNetSession, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by Timestamp desc

Detects System Network Connections Discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies execution of netstat with enumeration flags (-ano, -an, -aon), net use/session/view commands, and PowerShell cmdlets (Get-NetTCPConnection, Get-NetUDPEndpoint) commonly used by adversaries for situational awareness. Flags executions originating from suspicious parent processes (PowerShell, scripting engines, LOLBins) as higher-confidence indicators. Assigns a suspicion score to prioritize analyst review of multi-indicator events.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets
Software installers and update agents that enumerate network sessions before performing operations
Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1) OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, lower(ProcessCommandLine))
| eval CommandLine=lower(CommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval IsNetstat=if(match(Image, "netstat\.exe") AND match(CommandLine, "(-ano|-an|-aon|-naop|-anp)"), 1, 0)
| eval IsNetUse=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\buse\b"), 1, 0)
| eval IsNetSession=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\bsession\b"), 1, 0)
| eval IsNetView=if(match(Image, "(net\.exe|net1\.exe)") AND match(CommandLine, "\bview\b"), 1, 0)
| eval IsPSNetQuery=if(match(Image, "(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(get-nettcpconnection|get-netudpendpoint|netstat)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe|msbuild\.exe)"), 1, 0)
| eval SuspicionScore=IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + SuspiciousParent
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort - _time

Detects System Network Connections Discovery using Sysmon Event ID 1 (Process Creation) and Security Event ID 4688. Evaluates process executions across multiple discovery command categories: netstat with enumeration flags, net use/session/view, and PowerShell network cmdlets. Assigns a cumulative suspicion score to surface high-confidence events involving multiple indicators or suspicious parent process chains. Covers both Sysmon and native Windows Security logging paths for broad deployment compatibility.

low severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets
Software installers and update agents that enumerate network sessions before performing operations
Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  QIDNAME(qid) AS EventName,
  "ProcessPath" AS ProcessImage,
  "ProcessCommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentImage,
  CASE
    WHEN LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %' OR "ProcessCommandLine" LIKE '%-aon%') THEN 1 ELSE 0
  END AS IsNetstat,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%') THEN 1 ELSE 0
  END AS IsNetUseOrSession,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%') THEN 1 ELSE 0
  END AS IsPSNetQuery,
  CASE
    WHEN LOWER("ParentProcessPath") LIKE ANY ('%powershell.exe', '%wscript.exe', '%cscript.exe', '%mshta.exe', '%rundll32.exe', '%regsvr32.exe', '%wmic.exe', '%msbuild.exe') THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND ("EventID" = '4688' OR "EventID" = '1')
  AND LONG(starttime) > LONG(NOW()) - 86400000
  AND (
    (LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %'))
    OR ((LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%' OR LOWER("ProcessCommandLine") LIKE '% view%'))
    OR ((LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%' OR LOWER("ProcessCommandLine") LIKE '%netstat%'))
  )
ORDER BY starttime DESC
LAST 24 HOURS

AQL query for QRadar that detects network connection discovery commands via Windows Security Event 4688 or Sysmon Event 1. Identifies netstat with enumeration flags, net use/session/view, and PowerShell network cmdlets, scoring each event and flagging suspicious parent processes.

medium severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Sysmon via Universal DSM

Required Tables

events

False Positives

Automated configuration management tools (Ansible, Puppet, Chef) executing net session or netstat as part of inventory collection
SIEM agents or endpoint detection products that use netstat internally to enumerate connections for reporting
Developers running PowerShell Get-NetTCPConnection during local debugging or network application testing

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse field=EventID "*" as event_id
| where event_id in ("1", "4688")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| eval cmd_line = toLowerCase(cmd_line)
| eval image_lower = toLowerCase(image_path)
| eval parent_lower = toLowerCase(parent_image)
| eval IsNetstat = if(matches(image_lower, ".*netstat\.exe") and matches(cmd_line, ".*(\-ano|\-an |\-aon|\-naop|\-anp).*"), 1, 0)
| eval IsNetUse = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\buse\b.*"), 1, 0)
| eval IsNetSession = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bsession\b.*"), 1, 0)
| eval IsNetView = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bview\b.*"), 1, 0)
| eval IsPSNetQuery = if(matches(image_lower, ".*(powershell|pwsh)\.exe") and matches(cmd_line, ".*(get-nettcpconnection|get-netudpendpoint|netstat).*"), 1, 0)
| eval SuspiciousParent = if(matches(parent_lower, ".*(powershell|wscript|cscript|mshta|rundll32|regsvr32|wmic|msbuild)\.exe"), 1, 0)
| eval SuspicionScore = IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + SuspiciousParent
| where SuspicionScore > 0
| fields _messagetime, Computer, User, image_path, cmd_line, parent_image, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by _messagetime desc

Sumo Logic CSE query detecting T1049 network connection discovery via Sysmon Event 1 or Windows Security Event 4688. Scores each event across five detection signals (netstat, net use, net session, net view, PS cmdlets) plus suspicious parent process context. Returns all events with non-zero suspicion scores.

medium severity high confidence

Data Sources

Windows Event Log via Installed Collector Sysmon via Sumo Logic Windows Agent

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Endpoint backup or imaging solutions that enumerate active connections before suspending I/O
Network performance monitoring tools running as scheduled tasks using netstat or ss for baseline collection
PowerShell DSC (Desired State Configuration) scripts that check network state as part of system compliance checks

Google Chronicle / SecOps

yaral

rule T1049_SystemNetworkConnectionsDiscovery {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1049 network connection discovery via netstat, net use/session/view, and PowerShell network enumeration cmdlets. High-fidelity signal when combined with suspicious parent process."
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1049"
    reference = "https://attack.mitre.org/techniques/T1049/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.principal.user.userid = $user
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $image

    (
      // netstat with enumeration flags
      (
        re.regex($image, `(?i).*netstat\.exe$`) and
        re.regex($cmdline, `(?i).*(\-ano|\-an |\-aon|\-naop|\-anp).*`)
      ) or
      // net.exe / net1.exe discovery commands
      (
        re.regex($image, `(?i).*net1?\.exe$`) and
        re.regex($cmdline, `(?i)\b(use|session|view)\b`)
      ) or
      // PowerShell network enumeration
      (
        re.regex($image, `(?i).*(powershell|pwsh)\.exe$`) and
        re.regex($cmdline, `(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|netstat)`)
      ) or
      // Linux ss command
      (
        re.regex($image, `(?i).*/ss$`) and
        re.regex($cmdline, `(?i)-(anp|tulnp|tunap)`)
      ) or
      // Linux lsof for network
      (
        re.regex($image, `(?i).*/lsof$`) and
        re.regex($cmdline, `(?i)-(i|nP)`)
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1049 System Network Connections Discovery. Matches process launch events where netstat, net.exe, net1.exe, PowerShell, ss, or lsof are executed with network enumeration arguments. Covers both Windows and Linux discovery patterns using UDM process event fields.

medium severity high confidence

Data Sources

Chronicle UDM Events Google Cloud Chronicle SIEM Forwarder-ingested Windows Event Logs Linux Auditd via Chronicle

Required Tables

UDM Events - PROCESS_LAUNCH

False Positives

System health check scripts deployed by operations teams that run netstat at regular intervals to monitor connection counts
Security tools performing automated asset discovery that enumerate connections via PowerShell cmdlets across the fleet
Developers on engineering workstations using lsof -i or ss -anp while debugging networked applications locally

CrowdStrike LogScale (CQL)

cql

#repo=base_sensor #event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(netstat\.exe|net\.exe|net1\.exe|powershell\.exe|pwsh\.exe|ss|lsof)$/
| eval IsNetstat = if(match(ImageFileName, /(?i)netstat\.exe/) AND match(CommandLine, /(?i)(\-ano|\-an |\-aon|\-naop|\-anp)/), 1, 0)
| eval IsNetUse = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\buse\b/), 1, 0)
| eval IsNetSession = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\bsession\b/), 1, 0)
| eval IsNetView = if(match(ImageFileName, /(?i)net1?\.exe/) AND match(CommandLine, /(?i)\bview\b/), 1, 0)
| eval IsPSNetQuery = if(match(ImageFileName, /(?i)(powershell|pwsh)\.exe/) AND match(CommandLine, /(?i)(Get-NetTCPConnection|Get-NetUDPEndpoint|netstat)/), 1, 0)
| eval IsLinuxNetEnum = if(match(ImageFileName, /(?i)(\bss\b|lsof)/) AND match(CommandLine, /(?i)(\-anp|\-tulnp|\-tunap|\-i |\-nP)/), 1, 0)
| eval SuspiciousParent = if(match(ParentBaseFileName, /(?i)(powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|wmic\.exe|msbuild\.exe)/), 1, 0)
| eval SuspicionScore = IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + IsLinuxNetEnum + SuspiciousParent
| where SuspicionScore > 0
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, IsLinuxNetEnum, SuspiciousParent, SuspicionScore
| sort timestamp desc

CrowdStrike LogScale (Falcon) query detecting T1049 using ProcessRollup2 events. Evaluates netstat enumeration flags, net.exe discovery subcommands, PowerShell network cmdlets, and Linux ss/lsof usage. Scores each process event across six behavioral signals plus suspicious parent context. Surfaces all events with non-zero scores for analyst triage.

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Data Replicator (FDR) Humio/LogScale via Falcon SIEM Connector

Required Tables

#repo=base_sensor #event_simpleName=ProcessRollup2

False Positives

Falcon Insight itself or third-party EDR tooling running netstat periodically to build process-to-network mapping baselines
IT automation pipelines (Ansible playbooks, SCCM task sequences) that audit active sessions via net session before pushing patches
Penetration testers or red team operators operating within authorized engagement windows on production-connected hosts

Sigma rule & cross-platform mapping

The detection logic for System Network Connections Discovery (T1049) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1049 Sigma rules on detection.fyi

Platform-specific guides for T1049

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Active TCP/UDP Connections with netstat
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netstat.exe, CommandLine='netstat -ano', ParentImage typically cmd.exe or the test runner. Security Event ID 4688 if command line auditing is enabled. Prefetch file update at C:\Windows\Prefetch\NETSTAT.EXE-*.pf.
Test 2Enumerate Active Network Sessions with net session
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net session'. Security Event ID 4688 with command line. Prefetch update for NET.EXE-*.pf.
Test 3Map Network Shares with net use
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net use'. Security Event ID 4688 if command line auditing is enabled. Prefetch file updated for NET.EXE-*.pf.
Test 4PowerShell Network Connection Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetTCPConnection'. PowerShell ScriptBlock Logging Event ID 4104 capturing the full cmdlet invocation. No network connections generated by the discovery itself.
Test 5Discovery Command Cluster Simulation
Expected signal: Multiple Sysmon Event ID 1 events within seconds: netstat.exe with '-ano', net.exe with 'session', net.exe with 'use', ipconfig.exe with '/all', arp.exe with '-a'. All sharing the same parent cmd.exe process. Security Event ID 4688 for each child process if command line auditing enabled.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1049 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Network Connections Discovery

What is T1049 System Network Connections Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1049

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

What is T1049 System Network Connections Discovery?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1049

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox