Skip to content

Hide Navigation Hide TOC

Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Cluster A Galaxy A Cluster B Galaxy B Level
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Adversary-in-the-Middle - T1638 (08e22979-d320-48ed-8711-e7bf94aabb13) Attack Pattern 1
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern 1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern 1
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 1
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534) Attack Pattern 1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba) mitre-data-component Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 1
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd) Attack Pattern Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern 2
Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520) Attack Pattern 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5) Attack Pattern 2
Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern 2
Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e) Attack Pattern TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4) Attack Pattern 2
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 2
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd) Attack Pattern Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1) Attack Pattern 2
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5) Attack Pattern 2
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2