T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
Playful Taurus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cavern Manticore usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomBlu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Worok usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EstateRansomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Clop usesRansomware.Live Confidence 100
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC961 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
Conti usesFamily The MITRE Corporation Confidence 100
[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. [Conti](https://attack.mitre.org/software/S0575) has been deployed via [TrickBot](https://attack.mitre.org/software/S0266) and used against major corporations and government agencies, particularly those…
First seen 01/01/1970 · Last seen 16/11/5138 · -
OSInfo usesFamily The MITRE Corporation Confidence 100
[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim's computer and network. (Citation: Symantec Buckeye)
First seen 01/01/1970 · Last seen 16/11/5138 · -
DeathNote usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sibot usesFamily The MITRE Corporation Confidence 100
[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GREASE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Derusbi usesFamily The MITRE Corporation Confidence 100
[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups.(Citation: Novetta-Axiom)(Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed.(Citation: Fidelis Turbo)
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlackCat usesFamily The MITRE Corporation Confidence 100
[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
MIPS32 MSB usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LEASHTEST usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PortDoor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Tokel usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PhantomJitter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
15 MITREs 2 Malwares 4 Observables 1 APT
-
14 MITREs 1 Malware 8 Observables 1 APT
-
15 MITREs 2 Malwares 5 Observables 1 APT
-
6 MITREs
-
19 MITREs 2 Malwares 11 Observables
-
From Perfctl to InfoStealer related20 MITREs 1 Malware 3 Observables
-
20 MITREs 7 Malwares 41 Observables
-
17 MITREs 2 Observables 1 APT
Vulnerabilities (CVE) (84)
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
In Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 …
- Attack vector
- NETWORK
- Published
- 20/01/2023
- Modified
- 09/07/2026
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm. The impacted products could be …
- Attack vector
- Network
- Published
- 16/06/2025
- Modified
- 21/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …
- Attack vector
- Network
- Complexity
- Low
- Published
- 21/02/2024
- Modified
- 29/04/2026
Ivanti Endpoint Manager Mobile (EPMM) contains an authentication bypass vulnerability in the API component that allows an attacker to access protected resources …
- Attack vector
- Network
- Published
- 19/05/2025
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Progress MOVEit Transfer contains a SQL injection vulnerability that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. …
- Attack vector
- Network
- Published
- 02/06/2023
- Modified
- 21/12/2025
Microsoft Win32k fails to properly handle objects in memory causing privilege escalation. Successful exploitation allows an attacker to run code in kernel …
- Published
- 03/11/2021
- Modified
- 29/05/2026
Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …
- Attack vector
- Network
- Published
- 11/10/2022
- Modified
- 14/01/2026
Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code …
- Attack vector
- Network
- Published
- 14/07/2025
- Modified
- 16/03/2026
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…