T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (59)
-
The MITRE Corporation Confidence 100
[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Lazarus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL-UNK-1068 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The Gentlemen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Muddled Libra usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Conti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
APT-Q-27 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
VBShower - S0442 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Torat uses
-
AutoItRAT usesFamily
-
Xorddos usesFamily
-
USBferry uses
-
GoTokenTheft usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MataDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CBROVER usesFamily
-
BH_A006 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SNOWLIGHT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerShower - S0441 usesFamily
-
Black Basta usesFamily The MITRE Corporation Confidence 100
[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (41)
-
4 CVEs 19 MITREs 3 Malwares 12 Observables 1 APT
-
Roundup: Care what you share related14 MITREs 1 Malware 4 Observables
-
25 MITREs 6 Malwares 1 APT
-
20 MITREs 3 Malwares 12 Observables 1 APT
-
12 MITREs 1 Malware 9 Observables
-
19 MITREs 1 Malware 6 Observables
-
20 MITREs 3 Malwares 4 Observables
-
7 MITREs 1 Malware 17 Observables 1 APT
-
7 MITREs 1 Malware 15 Observables 1 APT
-
15 MITREs 2 Malwares 4 Observables 1 APT
-
14 MITREs 1 Malware 8 Observables 1 APT
-
15 MITREs 2 Malwares 5 Observables 1 APT
Vulnerabilities (CVE) (78)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 29/01/2026
- Modified
- 10/04/2026
Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable …
- Attack vector
- NETWORK
- EPSS
- 0.0003 (P7.6%)
- Published
- 09/01/2026
- Modified
- 17/04/2026
NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by …
- Attack vector
- LOCAL
- Published
- 13/08/2025
- Modified
- 17/04/2026
Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 2.07 before 2.07WWB05, DIR-817 Ax, DIR-818LW Bx before 2.05b03beta03, DIR-822 C1 3.01 before …
- Attack vector
- Network
- Complexity
- Low
- Published
- 25/08/2016
- Modified
- 17/06/2026
Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …
- Attack vector
- Network
- Published
- 16/10/2023
- Modified
- 21/12/2025
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An …
- Published
- 10/02/2022
- Modified
- 20/12/2025
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 25/02/2026
- Modified
- 18/06/2026
A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 05/06/2026
- Modified
- 25/06/2026
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…