T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
Playful Taurus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cavern Manticore usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomBlu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Worok usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EstateRansomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Clop usesRansomware.Live Confidence 100
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC961 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
LAGTOY usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SysUpdate usesFamily The MITRE Corporation Confidence 100
[SysUpdate](https://attack.mitre.org/software/S0663) is a backdoor written in C++ that has been used by [Threat Group-3390](https://attack.mitre.org/groups/G0027) since at least 2020.(Citation: Trend Micro Iron Tiger April 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Samurai usesFamily The MITRE Corporation Confidence 100
[Samurai](https://attack.mitre.org/software/S1099) is a passive backdoor that has been used by [ToddyCat](https://attack.mitre.org/groups/G1022) since at least 2020. [Samurai](https://attack.mitre.org/software/S1099) allows arbitrary C# code execution and is used with multiple modules for…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Black Basta - S1070 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
NETWIRE usesFamily The MITRE Corporation Confidence 100
[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LONGLEASH usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SEASPY usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Merlin usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sykipot usesFamily The MITRE Corporation Confidence 100
[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims.…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Demo usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Quantum usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Auto-Color usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (44)
-
AlienVault Confidence 100 19 MITREs 5 Malwares 20 IOCs 1 APT
-
AlienVault Confidence 100 6 CVEs 20 MITREs 5 Malwares 81 IOCs 4 Observables 1 APT
-
AlienVault Confidence 100 23 MITREs 21 IOCs 7 Observables 1 APT
-
AlienVault Confidence 100 3 CVEs 19 MITREs 9 IOCs 8 Observables
-
AlienVault Confidence 100 3 CVEs 20 MITREs 1 Malware 23 IOCs 23 Observables
-
1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
-
Thus Spoke…The Gentlemen related3 CVEs 20 MITREs 2 Malwares 33 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 Malwares 26 IOCs 26 Observables 1 APT
-
AlienVault Confidence 100 24 MITREs 1 Malware 13 IOCs 13 Observables 1 APT
-
AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
-
AlienVault Confidence 100 1 CVE 20 MITREs 1 IOC 1 Observable
-
13 CVEs 19 MITREs 2 Malwares 9 Observables
Vulnerabilities (CVE) (84)
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …
- Attack vector
- Network
- Published
- 04/09/2025
- Modified
- 21/12/2025
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …
- Attack vector
- Network
- Published
- 20/07/2025
- Modified
- 21/12/2025
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 04/02/2022
- Modified
- 20/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …
- Attack vector
- NETWORK
- Published
- 07/01/2026
- Modified
- 09/03/2026
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.
- Published
- 10/01/2022
- Modified
- 21/12/2025
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …
- Attack vector
- Network
- Published
- 14/01/2025
- Modified
- 27/05/2026
Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …
- Attack vector
- Network
- Published
- 23/10/2023
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- Attack vector
- NETWORK
- Published
- 29/01/2026
- Modified
- 27/03/2026
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…