Which SIEM platforms have a T1049 detection rule?

df00tech provides T1049 (System Network Connections Discovery) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect System Network Connections Discovery (T1049)?

Detecting System Network Connections Discovery requires the following data sources: Process: Process Creation, Command: Command Execution, Microsoft Defender for Endpoint.

What severity and confidence is the T1049 detection?

The T1049 detection is rated low severity with medium confidence.

What are common false positives for T1049?

Common false positives for T1049 include: System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers; Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets; Software installers and update agents that enumerate network sessions before performing operations.

T1049 IBM QRadar · QRadar

Detect System Network Connections Discovery in IBM QRadar

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection.

MITRE ATT&CK

Tactic: Discovery
Technique: T1049 System Network Connections Discovery
Canonical reference: https://attack.mitre.org/techniques/T1049/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  QIDNAME(qid) AS EventName,
  "ProcessPath" AS ProcessImage,
  "ProcessCommandLine" AS CommandLine,
  "ParentProcessPath" AS ParentImage,
  CASE
    WHEN LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %' OR "ProcessCommandLine" LIKE '%-aon%') THEN 1 ELSE 0
  END AS IsNetstat,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%') THEN 1 ELSE 0
  END AS IsNetUseOrSession,
  CASE
    WHEN (LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%') THEN 1 ELSE 0
  END AS IsPSNetQuery,
  CASE
    WHEN LOWER("ParentProcessPath") LIKE ANY ('%powershell.exe', '%wscript.exe', '%cscript.exe', '%mshta.exe', '%rundll32.exe', '%regsvr32.exe', '%wmic.exe', '%msbuild.exe') THEN 1 ELSE 0
  END AS SuspiciousParent
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND ("EventID" = '4688' OR "EventID" = '1')
  AND LONG(starttime) > LONG(NOW()) - 86400000
  AND (
    (LOWER("ProcessPath") LIKE '%netstat.exe' AND ("ProcessCommandLine" LIKE '%-ano%' OR "ProcessCommandLine" LIKE '%-an %'))
    OR ((LOWER("ProcessPath") LIKE '%net.exe' OR LOWER("ProcessPath") LIKE '%net1.exe') AND (LOWER("ProcessCommandLine") LIKE '% use%' OR LOWER("ProcessCommandLine") LIKE '% session%' OR LOWER("ProcessCommandLine") LIKE '% view%'))
    OR ((LOWER("ProcessPath") LIKE '%powershell.exe' OR LOWER("ProcessPath") LIKE '%pwsh.exe') AND (LOWER("ProcessCommandLine") LIKE '%get-nettcpconnection%' OR LOWER("ProcessCommandLine") LIKE '%get-netudpendpoint%' OR LOWER("ProcessCommandLine") LIKE '%netstat%'))
  )
ORDER BY starttime DESC
LAST 24 HOURS

medium severity medium confidence

AQL query for QRadar that detects network connection discovery commands via Windows Security Event 4688 or Sysmon Event 1. Identifies netstat with enumeration flags, net use/session/view, and PowerShell network cmdlets, scoring each event and flagging suspicious parent processes.

Data Sources

Microsoft Windows Security Event LogMicrosoft Sysmon via Universal DSM

Required Tables

events

False Positives & Tuning

Automated configuration management tools (Ansible, Puppet, Chef) executing net session or netstat as part of inventory collection
SIEM agents or endpoint detection products that use netstat internally to enumerate connections for reporting
Developers running PowerShell Get-NetTCPConnection during local debugging or network application testing

Download portable Sigma rule (.yml)

Other platforms for T1049

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enumerate Active TCP/UDP Connections with netstat
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netstat.exe, CommandLine='netstat -ano', ParentImage typically cmd.exe or the test runner. Security Event ID 4688 if command line auditing is enabled. Prefetch file update at C:\Windows\Prefetch\NETSTAT.EXE-*.pf.
Test 2Enumerate Active Network Sessions with net session
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net session'. Security Event ID 4688 with command line. Prefetch update for NET.EXE-*.pf.
Test 3Map Network Shares with net use
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net use'. Security Event ID 4688 if command line auditing is enabled. Prefetch file updated for NET.EXE-*.pf.
Test 4PowerShell Network Connection Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetTCPConnection'. PowerShell ScriptBlock Logging Event ID 4104 capturing the full cmdlet invocation. No network connections generated by the discovery itself.
Test 5Discovery Command Cluster Simulation
Expected signal: Multiple Sysmon Event ID 1 events within seconds: netstat.exe with '-ano', net.exe with 'session', net.exe with 'use', ipconfig.exe with '/all', arp.exe with '-a'. All sharing the same parent cmd.exe process. Security Event ID 4688 for each child process if command line auditing enabled.

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1049 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1033System Owner/User Discovery T1016System Network Configuration Discovery T1016.001Internet Connection Discovery T1018Remote System Discovery T1069Permission Groups Discovery T1057Process Discovery T1021.002SMB/Windows Admin Shares T1560Archive Collected Data T1087Account Discovery

Detect System Network Connections Discovery in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1049

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1049

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Discovery

Popular Detections

Get new detections in your inbox