T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
Playful Taurus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cavern Manticore usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomBlu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Worok usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EstateRansomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Clop usesRansomware.Live Confidence 100
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC961 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
VBShower - S0442 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Torat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AutoItRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Xorddos usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
USBferry usesFamily The MITRE Corporation Confidence 100
[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GoTokenTheft usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
MataDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
CBROVER usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
BH_A006 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SNOWLIGHT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PowerShower - S0441 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Black Basta usesFamily The MITRE Corporation Confidence 100
[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
20 MITREs 2 Malwares 16 Observables
-
20 MITREs 4 Malwares 31 Observables 1 APT
-
18 MITREs 4 Malwares 11 Observables 1 APT
-
24 MITREs 3 Malwares 147 Observables 1 APT
-
25 MITREs 4 Observables 1 APT
-
19 MITREs 1 Malware 2 Observables 1 APT
-
19 MITREs 3 Malwares 28 Observables 1 APT
-
11 MITREs
-
10 MITREs 80 Observables 1 APT
-
13 MITREs 3 Malwares 1 APT
-
18 MITREs 12 Observables
-
15 MITREs
Vulnerabilities (CVE) (84)
- Published
- 09/07/2026
BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)contain an OS command injection vulnerability. Successful exploitation could allow an unauthenticated remote attacker …
- Attack vector
- Network
- Published
- 13/02/2026
- Modified
- 20/02/2026
Rejected reason: This CVE is a duplicate of CVE-2025-55182.
- Published
- 20/12/2025
- Modified
- 21/12/2025
Cisco IOS and IOS XE Software improperly validates packet data, allowing an unauthenticated, remote attacker to trigger a reload of an affected …
- Attack vector
- NETWORK
- Published
- 03/11/2021
- Modified
- 14/01/2026
Microsoft Windows SMB Client contains an improper access control vulnerability that could allow for privilege escalation. An attacker could execute a specially …
- Attack vector
- Network
- Published
- 20/10/2025
- Modified
- 27/05/2026
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 11/04/2022
- Modified
- 20/12/2025
Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …
- Published
- 03/11/2021
- Modified
- 20/12/2025
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 14/05/2026
- Modified
- 18/06/2026
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 11/04/2022
- Modified
- 20/12/2025
Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 13/04/2022
- Modified
- 27/05/2026
Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in …
- Attack vector
- NETWORK
- Published
- 11/07/2025
- Modified
- 21/12/2025
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…