Skip to content

T0840 Network Connection Enumeration

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat2, in conjunction with System Firmware, then they can determine the role of certain devices on the network 1. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

Item Value
ID T0840
Tactics TA0102
Platforms Human-Machine Interface
Version 1.1
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
S0605 EKANS EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. 3
S0604 Industroyer Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. 4


ID Mitigation Description
M0816 Mitigation Limited or Not Effective Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).


ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution
DS0012 Script Script Execution