T1049: T1049
Essential information
- MITRE technique ID
T1049- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
System Network Connections Discovery
Platforms
windows macos linux Network Devices IaaS ESXi
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | discovery |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (60)
-
Playful Taurus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
play usesThe MITRE Corporation Confidence 100
Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…
First seen 01/01/1970 · Last seen 16/11/5138 · -
PhantomBlu usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Worok usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EstateRansomware usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Clop usesRansomware.Live Confidence 100
The ransomware group known as Cl0p is a variant of a previously known strain dubbed CryptoMix. It is worth noting that this variant was delivered as the final…
First seen 01/01/1970 · Last seen 16/11/5138 · -
RomCom usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC961 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
GrayCharlie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ToyMaker usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (75)
-
Earth Lusca usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Space Pirates usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
HookSpoofer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cactus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sagerunex usesFamily The MITRE Corporation Confidence 100
[Sagerunex](https://attack.mitre.org/software/S1210) is a malware family exclusively associated with [Lotus Blossom](https://attack.mitre.org/groups/G0030) operations, with variants existing since at least 2016. Variations of [Sagerunex](https://attack.mitre.org/software/S1210) leverage non-traditional command and control mechanisms such…
First seen 01/01/1970 · Last seen 16/11/5138 · -
QuasarRAT usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
IcedID - S0483 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ScanPortPlus usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Impersoni-Fake-Ator usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
LockBit usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
reGeorg usesFamily The MITRE Corporation Confidence 100
[reGeorg](https://attack.mitre.org/software/S1187) is an open-source web shell written in Python that can be used as a proxy to bypass firewall rules and tunnel data in and out of targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
POISONPLUG.SHADOW usesThe MITRE Corporation Confidence 100
[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (42)
-
18 MITREs 4 Malwares 11 Observables 1 APT
-
24 MITREs 3 Malwares 147 Observables 1 APT
-
25 MITREs 4 Observables 1 APT
-
19 MITREs 1 Malware 2 Observables 1 APT
-
19 MITREs 3 Malwares 28 Observables 1 APT
-
11 MITREs
-
10 MITREs 80 Observables 1 APT
-
13 MITREs 3 Malwares 1 APT
-
18 MITREs 12 Observables
-
15 MITREs
-
6 CVEs 31 MITREs 92 Observables 1 APT
-
1 CVE 13 MITREs 2 Observables
Vulnerabilities (CVE) (78)
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/05/2017
- Modified
- 22/04/2026
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, …
- Attack vector
- NETWORK
- Published
- 16/02/2023
- Modified
- 21/12/2025
Linux kernel contains a heap-based buffer overflow vulnerability in the legacy_parse_param function in the Filesystem Context functionality. This allows an attacker to …
- Published
- 21/08/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write …
- Attack vector
- Network
- Published
- 22/05/2025
- Modified
- 21/12/2025
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 24/10/2025
- Modified
- 21/12/2025
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be …
- Attack vector
- Network
- Published
- 30/06/2025
- Modified
- 21/12/2025
Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …
- Published
- 14/06/2022
- Modified
- 27/05/2026
Execution with Unnecessary Privileges vulnerability in multiple services of Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 …
- Attack vector
- Local
- Complexity
- LOW
- Published
- 16/05/2025
- Modified
- 17/04/2026
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
Campaign (1)
-
Anthropic AI-orchestrated Campaign uses
Tool (2)
-
Pacu usesThe MITRE Corporation Confidence 100
Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly available on GitHub.(Citation: GitHub Pacu)
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…