Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0770: Detection of Network Connection Enumeration

DET0770 is an ICS ATT&CK detection strategy for identifying Network Connection Enumeration behavior. The business significance is that enumeration of devic...

ICSDET0770Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0770 is an ICS ATT&CK detection strategy for identifying Network Connection Enumeration behavior. The business significance is that enumeration of device communication patterns can help an adversary understand which systems talk to each other and what roles they may play in an operational environment. For security leaders, this is less about a single alert and more about confirming whether SOC and incident response teams can see unusual attempts to inspect or infer industrial network relationships before later actions depend on that knowledge.

Executive priority

Prioritize this as an operational resilience and visibility question: can the organization prove it has enough telemetry to detect suspicious discovery of ICS communication patterns? Because the ATT&CK object provides no platform, tactic, or official detection logic, leaders should treat DET0770 as a coverage-validation item rather than a ready-made detection. Ask whether network monitoring, host-level evidence where available, and incident response playbooks can distinguish authorized troubleshooting from potentially adversarial enumeration in sensitive operational networks.

Technical view

This detection strategy is linked to ICS technique T0840, Network Connection Enumeration. The related technique describes adversaries inspecting network connection state with tools such as Netstat, potentially alongside system firmware access, or using network sniffing to observe communication patterns. SOC and detection engineering teams should validate whether they collect evidence of connection-state inspection and network observation in the relevant ICS segments, and whether detections are scoped to changes from normal operational baselines. Since no official detection text or platform is supplied, detection content should be locally derived from asset roles, expected communications, administrative procedures, and approved maintenance activity.

Likely telemetry

  • Network flow records or equivalent communication metadata for ICS segments
  • Packet capture or network sensor observations where available and authorized
  • Host or device logs showing connection-state inspection commands or utilities, where such logging exists
  • Administrative access logs tied to engineering workstations, jump hosts, or management systems
  • Change, maintenance, and troubleshooting records used to explain legitimate enumeration activity

Detection direction

  • Validate that monitoring can identify unusual inspection of active connections or communication patterns in ICS environments.
  • Baseline expected device-to-device and workstation-to-device communications so enumeration-like activity can be judged in context.
  • Tune detections to account for legitimate engineering, troubleshooting, commissioning, and maintenance workflows to reduce false positives.
  • Correlate network observation with authenticated user activity and administrative access where available.
  • Document blind spots explicitly, especially where ICS devices lack host logging or where passive network visibility is incomplete.

Mitigation priorities

  • Establish or refine asset and communication baselines for critical ICS networks.
  • Limit and monitor administrative access paths used to inspect network connections or observe traffic.
  • Segment and control access to operational network areas where communication-pattern discovery would create material risk.
  • Ensure maintenance and troubleshooting activities are logged or otherwise documented so alerts can be triaged quickly.
  • Use DET0770 as a validation point in SOC, IR, and compliance readiness exercises rather than assuming coverage from generic network monitoring alone.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy in the ICS domain and has a relationship indicating it detects T0840, Network Connection Enumeration. The most actionable context comes from that relationship: adversaries may inspect connection state or use network sniffing to learn device communication patterns. Glexia’s take therefore emphasizes visibility, baselining, and triage readiness rather than prescribing a specific analytic.

The official object includes no description, no detection text, no platforms, and no tactics. Any specific detection logic, tooling assumptions, severity model, or coverage claim must be derived from the local ICS architecture and telemetry, not from the supplied ATT&CK fields alone.

Official MITRE ATT&CK definition

Detection of Network Connection Enumeration

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0840 Network Connection Enumeration This object detects Network Connection Enumeration.
Relationship explorer

All related ATT&CK context

detects · Technique T0840: Network Connection Enumeration ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8704dca8225ad1f6...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8704dca8225a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0770
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use