T1049 Microsoft Sentinel · KQL

Detect System Network Connections Discovery in Microsoft Sentinel

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection.

MITRE ATT&CK

Tactic
Discovery
Technique
T1049 System Network Connections Discovery
Canonical reference
https://attack.mitre.org/techniques/T1049/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let NetworkDiscoveryCommands = dynamic([
  "netstat", "net use", "net session", "net view",
  "lsof", "who", "ss ", "nmap",
  "Get-NetTCPConnection", "Get-NetUDPEndpoint",
  "WNetOpenEnum", "WNetEnumResource",
  "show ip sockets", "show tcp brief"
]);
let SuspiciousParents = dynamic([
  "powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe",
  "msbuild.exe", "InstallUtil.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    (FileName =~ "netstat.exe" and ProcessCommandLine has_any ("-ano", "-an", "-aon", "-naop", "-anp"))
    or (FileName =~ "net.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName =~ "net1.exe" and ProcessCommandLine has_any ("use", "session", "view"))
    or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint", "netstat"))
  )
| extend IsNetstat = FileName =~ "netstat.exe"
| extend IsNetUse = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "use"
| extend IsNetSession = FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine has "session"
| extend IsPSNetQuery = FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-NetTCPConnection", "Get-NetUDPEndpoint")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend SuspicionScore = toint(SuspiciousParent) + toint(IsNetstat) + toint(IsNetSession)
| project Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsNetstat, IsNetUse, IsNetSession, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by Timestamp desc
low severity medium confidence

Detects System Network Connections Discovery activity using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies execution of netstat with enumeration flags (-ano, -an, -aon), net use/session/view commands, and PowerShell cmdlets (Get-NetTCPConnection, Get-NetUDPEndpoint) commonly used by adversaries for situational awareness. Flags executions originating from suspicious parent processes (PowerShell, scripting engines, LOLBins) as higher-confidence indicators. Assigns a suspicion score to prioritize analyst review of multi-indicator events.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
  • Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets
  • Software installers and update agents that enumerate network sessions before performing operations
  • Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
  • Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry
Download portable Sigma rule (.yml)

Other platforms for T1049

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Active TCP/UDP Connections with netstat

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netstat.exe, CommandLine='netstat -ano', ParentImage typically cmd.exe or the test runner. Security Event ID 4688 if command line auditing is enabled. Prefetch file update at C:\Windows\Prefetch\NETSTAT.EXE-*.pf.

  2. Test 2Enumerate Active Network Sessions with net session

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net session'. Security Event ID 4688 with command line. Prefetch update for NET.EXE-*.pf.

  3. Test 3Map Network Shares with net use

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net use'. Security Event ID 4688 if command line auditing is enabled. Prefetch file updated for NET.EXE-*.pf.

  4. Test 4PowerShell Network Connection Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetTCPConnection'. PowerShell ScriptBlock Logging Event ID 4104 capturing the full cmdlet invocation. No network connections generated by the discovery itself.

  5. Test 5Discovery Command Cluster Simulation

    Expected signal: Multiple Sysmon Event ID 1 events within seconds: netstat.exe with '-ano', net.exe with 'session', net.exe with 'use', ipconfig.exe with '/all', arp.exe with '-a'. All sharing the same parent cmd.exe process. Security Event ID 4688 for each child process if command line auditing enabled.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1049 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1016.001Internet Connection DiscoveryT1018Remote System DiscoveryT1069Permission Groups DiscoveryT1057Process DiscoveryT1021.002SMB/Windows Admin SharesT1560Archive Collected DataT1087Account Discovery

Same Tactic: Discovery

Popular Detections