Detect System Network Connections Discovery in Sumo Logic CSE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection.
MITRE ATT&CK
- Tactic
- Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1049/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse field=EventID "*" as event_id
| where event_id in ("1", "4688")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| eval cmd_line = toLowerCase(cmd_line)
| eval image_lower = toLowerCase(image_path)
| eval parent_lower = toLowerCase(parent_image)
| eval IsNetstat = if(matches(image_lower, ".*netstat\.exe") and matches(cmd_line, ".*(\-ano|\-an |\-aon|\-naop|\-anp).*"), 1, 0)
| eval IsNetUse = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\buse\b.*"), 1, 0)
| eval IsNetSession = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bsession\b.*"), 1, 0)
| eval IsNetView = if(matches(image_lower, ".*net1?\.exe") and matches(cmd_line, ".*\bview\b.*"), 1, 0)
| eval IsPSNetQuery = if(matches(image_lower, ".*(powershell|pwsh)\.exe") and matches(cmd_line, ".*(get-nettcpconnection|get-netudpendpoint|netstat).*"), 1, 0)
| eval SuspiciousParent = if(matches(parent_lower, ".*(powershell|wscript|cscript|mshta|rundll32|regsvr32|wmic|msbuild)\.exe"), 1, 0)
| eval SuspicionScore = IsNetstat + IsNetUse + IsNetSession + IsNetView + IsPSNetQuery + SuspiciousParent
| where SuspicionScore > 0
| fields _messagetime, Computer, User, image_path, cmd_line, parent_image, IsNetstat, IsNetUse, IsNetSession, IsNetView, IsPSNetQuery, SuspiciousParent, SuspicionScore
| sort by _messagetime descSumo Logic CSE query detecting T1049 network connection discovery via Sysmon Event 1 or Windows Security Event 4688. Scores each event across five detection signals (netstat, net use, net session, net view, PS cmdlets) plus suspicious parent process context. Returns all events with non-zero suspicion scores.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint backup or imaging solutions that enumerate active connections before suspending I/O
- Network performance monitoring tools running as scheduled tasks using netstat or ss for baseline collection
- PowerShell DSC (Desired State Configuration) scripts that check network state as part of system compliance checks
Other platforms for T1049
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Active TCP/UDP Connections with netstat
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\netstat.exe, CommandLine='netstat -ano', ParentImage typically cmd.exe or the test runner. Security Event ID 4688 if command line auditing is enabled. Prefetch file update at C:\Windows\Prefetch\NETSTAT.EXE-*.pf.
- Test 2Enumerate Active Network Sessions with net session
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net session'. Security Event ID 4688 with command line. Prefetch update for NET.EXE-*.pf.
- Test 3Map Network Shares with net use
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\net.exe, CommandLine='net use'. Security Event ID 4688 if command line auditing is enabled. Prefetch file updated for NET.EXE-*.pf.
- Test 4PowerShell Network Connection Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'Get-NetTCPConnection'. PowerShell ScriptBlock Logging Event ID 4104 capturing the full cmdlet invocation. No network connections generated by the discovery itself.
- Test 5Discovery Command Cluster Simulation
Expected signal: Multiple Sysmon Event ID 1 events within seconds: netstat.exe with '-ano', net.exe with 'session', net.exe with 'use', ipconfig.exe with '/all', arp.exe with '-a'. All sharing the same parent cmd.exe process. Security Event ID 4688 for each child process if command line auditing enabled.
References (11)
- https://attack.mitre.org/techniques/T1049/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/net-session
- https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
- https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/rpt-apt38.pdf
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md
- https://www.us-cert.gov/ncas/alerts/TA18-106A
- https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/
Unlock Pro Content
Get the full detection package for T1049 including response playbook, investigation guide, and atomic red team tests.