T0840 Network Connection Enumeration
Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat2, in conjunction with System Firmware, then they can determine the role of certain devices on the network 1. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.
| Item | Value |
|---|---|
| ID | T0840 |
| Sub-techniques | |
| Tactics | TA0102 |
| Platforms | Human-Machine Interface |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0605 | EKANS | EKANS performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. 3 |
| S0604 | Industroyer | Industroyer contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. 4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective | Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig). |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | OS API Execution |
| DS0012 | Script | Script Execution |
References
-
MITRE System Network Connections Discovery Retrieved. 2018/05/31 ↩
-
Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ↩
-
Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ↩