AN0904: Analytic 0904
Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging.
Analyst context for executives and security teams
This analytic matters because listing active network connections on Linux can be a key sign that someone or something is mapping the environment before further action. For executives and security leaders, the decision value is not the commands themselves, but whether the organization can see connection-enumeration behavior on important Linux systems and distinguish routine administration from suspicious staging or privilege-related activity.
Executive priority
Prioritize this as a visibility and response-readiness question for Linux estates. Leaders should ask whether critical Linux servers, cloud workloads, and administrative hosts produce enough process and command telemetry to support investigations when network discovery or staging is suspected. Because ATT&CK provides no tactic or detailed detection logic for this analytic, it should be treated as a coverage-validation item rather than a standalone risk indicator.
Technical view
For SOC, detection engineering, and IR teams, validate monitoring for Linux process execution involving netstat, ss, lsof, and shell-scripted connection listing. Focus on context: user account, parent process, execution path, timing, host role, and proximity to other suspicious activity such as privilege escalation indicators or staging behavior, as noted in the official description. Since no official detection logic is supplied, teams should build and tune local analytics against known administrative baselines before alerting broadly.
Likely telemetry
- Linux process execution telemetry
- Command-line arguments where available
- Parent-child process relationships
- User and privilege context
- Host role and asset criticality
Detection direction
- Confirm that Linux endpoint or audit telemetry captures execution of netstat, ss, lsof, and shell interpreters used for connection-listing scripts.
- Tune detections around unusual users, nonstandard parent processes, unexpected execution on sensitive servers, or activity outside normal administrative windows.
- Correlate with nearby events that may indicate privilege escalation or staging, because the official description notes this behavior is often paired with those activities.
- Avoid treating every use of these utilities as malicious; they are common administrative and troubleshooting tools.
- Document blind spots where command-line capture, process ancestry, or shell/audit logging is absent.
Mitigation priorities
- First establish reliable Linux process and command-line visibility on systems where this behavior would matter most.
- Define normal administrative usage patterns for network diagnostic utilities on critical hosts.
- Restrict unnecessary administrative access through existing identity and access controls, especially on sensitive Linux systems.
- Ensure incident response playbooks include triage questions for connection-enumeration activity, including who ran it, from where, and what occurred before and after.
- Use the analytic as supporting evidence in broader investigations rather than as a standalone basis for high-severity response.
Analyst notes and limits
This is a detection analytic object, AN0904, for Linux. The official description identifies use of netstat, ss, lsof, or custom shell scripts to list current network connections and notes it is often paired with privilege escalation or staging. No ATT&CK tactic, relationship context, aliases, labels, or official detection logic were supplied.
The source fields do not provide a specific detection query, data source mapping, tactic, related technique, adversary use, or mitigation mapping. Local baselines and telemetry quality are required to determine whether this behavior is suspicious in a given environment.
Analytic 0904
Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 16273919c28b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0904Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.