title: System Network Connections Discovery (T1049)
id: df00tech-t1049
status: experimental
description: "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Utilities and commands that acquire this information include netstat, 'net use', and 'net session'. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in. On cloud infrastructure, adversaries may enumerate Virtual Private Cloud or Virtual Network connectivity to map connected systems and services. This technique is commonly observed during post-compromise reconnaissance phases, often executed in rapid succession with other discovery techniques (T1033, T1016, T1057) as part of situational awareness gathering before lateral movement or data collection."
references:
  - https://attack.mitre.org/techniques/T1049/
  - https://df00tech.com/detections/T1049
author: df00tech
date: 2026/04/16
tags:
  - attack.t1049
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators running netstat or net session to troubleshoot connectivity issues from their workstations or servers
  - "Network monitoring agents (SolarWinds, Datadog, PRTG) that periodically poll active connections using netstat or PowerShell cmdlets"
  - Software installers and update agents that enumerate network sessions before performing operations
  - Help desk and IT operations scripts that collect network state as part of diagnostic bundles or remote support sessions
  - "Security tools (vulnerability scanners, EDR agents) enumerating active connections for endpoint telemetry"
level: low