T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
Playful Taurus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomBlu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Worok usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EstateRansomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Clop usesRansomware.Live Confidence 100
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC961 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToyMaker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
FinalDraft usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DWAgent usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerExchange usesFamily The MITRE Corporation Confidence 100
[PowerExchange](https://attack.mitre.org/software/S1173) is a PowerShell backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2023 including against government targets in the Middle East.(Citation: Symantec Crambus OCT 2023)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SprySOCKS usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Playcrypt usesFamily The MITRE Corporation Confidence 100
[Playcrypt](https://attack.mitre.org/software/S1162) is a ransomware that has been used by [Play](https://attack.mitre.org/groups/G1040) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Roaming Mantis usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TA428 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ANDROMEDA usesFamily The MITRE Corporation Confidence 100
[ANDROMEDA](https://attack.mitre.org/software/S1074) is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 [C0026](https://attack.mitre.org/campaigns/C0026)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Ballistic Bobcat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
FoggyWeb - S0661 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LAGTOY usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SysUpdate usesFamily The MITRE Corporation Confidence 100
[SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (42)
-
AlienVault Confidence 100 23 MITREs 21 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
-
1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
-
Thus Spoke…The Gentlemen related3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 Malwares 26 IOCs 26 Observables 1 APT
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 1 IOC 1 Observable
-
13 CVEs 19 MITREs 2 Malwares 9 Observables
-
20 MITREs 2 Malwares 16 Observables
-
20 MITREs 4 Malwares 31 Observables 1 APT
Vulnerabilities (CVE) (78)
The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …
- Attack vector
- Network
- Published
- 09/06/2025
- Modified
- 27/05/2026
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery (SSRF) vulnerability via the ProxyServlet component.
- Published
- 07/07/2025
- Modified
- 21/12/2025
VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol that allows an attacker to conduct remote …
- Attack vector
- Network
- Published
- 22/01/2024
- Modified
- 21/12/2025
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …
- Published
- 03/11/2021
- Modified
- 20/12/2025
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the …
- Attack vector
- NETWORK
- EPSS
- 0.0013 (P33.0%)
- Published
- 02/01/2026
- Modified
- 17/06/2026
Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution.
- Attack vector
- Network
- Published
- 17/10/2024
- Modified
- 21/12/2025
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …
- Attack vector
- Network
- Complexity
- Low
- Published
- 21/02/2024
- Modified
- 29/04/2026
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…