AN0903: Analytic 0903
Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections.
Analyst context for executives and security teams
AN0903 is a Windows detection analytic for spotting when users, scripts, or tools enumerate local or remote network connections using commands such as netstat, PowerShell Get-NetTCPConnection, WMI, or API calls. For leaders, the value is not that these tools are inherently malicious; it is that connection enumeration can reveal reconnaissance activity during an investigation and helps determine whether existing endpoint logging can distinguish normal administration from suspicious discovery behavior.
Executive priority
Prioritize this analytic as a validation item for Windows endpoint visibility and SOC triage readiness. It supports incident decision-making by helping responders identify systems where someone is mapping active communications. The key business question is whether the organization can produce reliable evidence of this behavior across critical Windows servers and workstations, while filtering expected administrator and monitoring activity.
Technical view
SOC and detection teams should validate whether Windows telemetry captures process execution and command-line details for netstat and PowerShell Get-NetTCPConnection, PowerShell activity, WMI usage, and any available EDR/API-level observations of network connection enumeration. Because no official detection logic or ATT&CK tactic mapping is supplied, teams should implement this as a behavior-focused analytic and tune it against known administrative, troubleshooting, inventory, and monitoring workflows.
Likely telemetry
- Windows process creation events with command-line arguments
- PowerShell execution and script/module logging where enabled
- WMI activity logs or endpoint telemetry showing WMI queries/calls
- EDR telemetry for process behavior and API usage related to network connection enumeration
- Context on user, host, parent process, remote target, and execution frequency
Detection direction
- Confirm that command-line capture is enabled for relevant Windows endpoints, especially servers and privileged workstations.
- Tune for expected use by administrators, help desk tools, monitoring agents, and network troubleshooting scripts to reduce false positives.
- Prioritize suspicious context such as unusual users, nonstandard parent processes, execution from temporary or user-writable paths, repeated enumeration across hosts, or use on sensitive systems.
- Correlate with adjacent endpoint activity in the same session, but avoid assuming malicious intent from connection enumeration alone.
- Document telemetry gaps where WMI or API-level enumeration would not be visible with current logging.
Mitigation priorities
- Establish and enforce least-privilege administration for Windows systems so only authorized roles can perform broad remote management activity.
- Harden and monitor PowerShell and WMI usage according to organizational policy, including logging where operationally feasible.
- Maintain endpoint detection coverage on critical Windows assets where connection enumeration would materially affect incident response.
- Create approved baselines for administrative and monitoring tools that legitimately enumerate connections.
- Use findings from this analytic to improve SOC runbooks and evidence collection rather than relying on tool execution alone as a blocking condition.
Analyst notes and limits
This object is a detection analytic, not a technique. The supplied ATT&CK fields specify Windows as the platform and describe detection of commands, binaries, WMI, or API calls used to enumerate local or remote network connections. No relationships, tactics, or official detection logic were provided, so defensive implementation should be locally engineered and validated.
The source does not provide specific detection logic, data source mappings, tactics, related techniques, adversary usage, or mitigation guidance. Local environment baselines are required to separate legitimate administration from suspicious activity. Coverage cannot be assumed without confirming endpoint logging and EDR visibility.
Analytic 0903
Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f7a269edf9ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0903Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.