Hide Navigation Hide TOC

Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Build Image on Host - T1612 (800f9819-7007-4540-a520-40e655876800)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1)	Attack Pattern	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	1
Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	1
Template Injection - T1221 (dc31fe1e-d722-49da-8f5f-92c7b5aff534)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Adversary-in-the-Middle - T1638 (08e22979-d320-48ed-8711-e7bf94aabb13)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e)	Attack Pattern	1
Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Network Connection Creation (181a9f8c-c780-4f1f-91a8-edb770e904ba)	mitre-data-component	1
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Socket Filters - T1205.002 (005cc321-08ce-4d17-b1ea-cb5275926520)	Attack Pattern	2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd)	Attack Pattern	Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74)	Attack Pattern	2
Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001 (79a4052e-1a89-4b09-aea6-51f1d11fe19c)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	2
TFTP Boot - T1542.005 (28abec6c-4443-4b03-8206-07f2e264a6b4)	Attack Pattern	Pre-OS Boot - T1542 (7f0ca133-88c4-40c6-a62f-b3083a7fbc2e)	Attack Pattern	2
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	2
Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee)	Attack Pattern	Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	2
Exfiltration Over Other Network Medium - T1011 (51ea26b1-ff1e-4faa-b1a0-1114cd298c87)	Attack Pattern	Exfiltration Over Bluetooth - T1011.001 (613d08bc-e8f4-4791-80b0-c8b974340dfd)	Attack Pattern	2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	Traffic Duplication - T1020.001 (7c46b364-8496-4234-8a56-f7e6727e21e1)	Attack Pattern	2
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	2
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	2
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	Dead Drop Resolver - T1481.001 (986f80f7-ff0e-4f48-87bd-0394814bbce5)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	2
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	2
Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74)	Attack Pattern	SNMP (MIB Dump) - T1602.001 (ee7ff928-801c-4f34-8a99-3df965e581a5)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	2
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Port Knocking - T1205.001 (8868cb5b-d575-4a60-acb2-07d37389a2fd)	Attack Pattern	2
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380)	Attack Pattern	One-Way Communication - T1481.003 (d916f176-a1ca-4a78-9fdd-4058bc28162e)	Attack Pattern	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2