DC0082: Network Connection Creation
The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.
*Data Collection Measures:*
- Windows: - Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP). - Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process. - Linux/macOS: - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections. - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections. - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred. - Cloud & Network Infrastructure: - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments. - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation. - Endpoint Detection & Response (EDR): - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.
Analyst context for executives and security teams
Network Connection Creation is a foundational evidence source for understanding when systems or processes initiate communication with local or remote endpoints. For executives and security leaders, its value is not a single alert type; it is the visibility layer that often determines whether teams can investigate suspected lateral movement, command-and-control, or exfiltration activity with confidence.
Executive priority
Prioritize this data component as a resilience and incident-readiness requirement. If the organization cannot reliably show which process or system initiated a connection, to what destination, over which port and protocol, SOC and IR teams may lose critical time during containment and scoping. Leaders should ask whether endpoint, cloud, and network logging coverage is consistent enough to support investigations, audit evidence, and risk decisions across Windows, Linux/macOS, cloud, and network infrastructure where applicable.
Technical view
Validate that connection initiation telemetry captures source and destination IPs, ports, protocol, session metadata, and, where endpoint sources are used, process context. The supplied ATT&CK description identifies Windows Event ID 5156, Sysmon Event ID 3, Linux/macOS Netfilter or nftables logs, AuditD connect syscall logging, Zeek conn.log, Suricata network events, AWS VPC Flow Logs, Azure NSG Flow Logs, and EDR network activity as relevant collection measures. Because no official detection logic is provided, teams should focus on confirming collection quality, normalization, retention, and correlation across host, cloud, and network vantage points.
Likely telemetry
- Windows Filtering Platform permitted connection events, including Event ID 5156 where enabled
- Sysmon Event ID 3 network connection initiated events with process and network details
- Linux/macOS Netfilter or nftables connection logs
- AuditD connect syscall records for TCP, UDP, and ICMP activity
- Zeek conn.log records with protocol, duration, and bytes transferred
Detection direction
- Confirm that connection creation logs are collected from the systems and environments where investigations depend on them, including endpoint, cloud, and network infrastructure sources cited by ATT&CK.
- Tune detections around context-rich deviations such as unusual destinations, ports, protocols, process-to-network relationships, new connection patterns, and traffic metadata that may support analysis of lateral movement, exfiltration, or C2.
- Account for false positives from legitimate software updates, administrative tools, cloud service communications, and expected application behavior by baselining normal connection patterns.
- Identify blind spots where network-only flow logs lack process context, endpoint logs lack full packet/session context, or encrypted traffic limits content inspection.
- Test whether SOC workflows can pivot from a suspicious connection to host process details, parent process where available, destination ownership, cloud flow evidence, and related session metadata.
Mitigation priorities
- Treat this primarily as a visibility and validation control: ensure required logging is enabled before relying on detections or incident playbooks.
- Prioritize telemetry sources that provide both network metadata and initiating process context where supported, such as Sysmon or EDR on endpoints plus network or cloud flow logging.
- Standardize parsing and retention for source/destination IP, ports, protocol, timestamps, duration, byte counts, and process fields where available.
- Use the data to support segmentation reviews, egress control validation, incident scoping, and evidence production, rather than assuming any single source provides complete coverage.
- Regularly test collection during tabletop exercises or detection validation to confirm analysts can reconstruct connection activity during suspected lateral movement, exfiltration, or C2 investigations.
Analyst notes and limits
This object is a data component, not a technique, and no ATT&CK tactics, platforms, aliases, labels, relationships, or official detection logic were supplied beyond collection measures. Its decision value comes from confirming whether the organization can observe initial network session establishment across relevant environments and correlate that evidence during investigations.
The supplied ATT&CK fields do not provide specific detection analytics, related techniques, adversary use, or environment-specific coverage assumptions. Local architecture, logging configuration, sensor placement, retention, and normalization determine whether this data component is actually useful for detection or incident response.
Network Connection Creation
The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.
*Data Collection Measures:*
- Windows: - Event ID 5156 – Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP). - Sysmon Event ID 3 – Network Connection Initiated - Captures process, source/destination IP, ports, and parent process. - Linux/macOS: - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections. - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections. - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred. - Cloud & Network Infrastructure: - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments. - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation. - Endpoint Detection & Response (EDR): - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 11c5cda8e2d3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0082Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.