33 lines
1.9 KiB
JSON
Executable File
33 lines
1.9 KiB
JSON
Executable File
{
|
|
"id": "bundle--33e3e33a-38b8-4a37-9455-5b8c82d3b10a",
|
|
"objects": [
|
|
{
|
|
"created": "2017-05-31T21:30:45.139269Z",
|
|
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
|
|
"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system.\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1\n\nData Sources: Process command-line parameters, Process monitoring",
|
|
"external_references": [
|
|
{
|
|
"external_id": "T1049",
|
|
"source_name": "mitre-attack",
|
|
"url": "https://attack.mitre.org/wiki/Technique/T1049"
|
|
}
|
|
],
|
|
"id": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "mitre-attack",
|
|
"phase_name": "discovery"
|
|
}
|
|
],
|
|
"modified": "2017-05-31T21:30:45.139269Z",
|
|
"name": "Local Network Connections Discovery",
|
|
"object_marking_refs": [
|
|
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
|
|
],
|
|
"type": "attack-pattern"
|
|
}
|
|
],
|
|
"spec_version": "2.0",
|
|
"type": "bundle"
|
|
}
|