Description
Network Manager is a feature only present in most sophisticated Remote Access Trojans (RATs) and Command and Control (C2) frameworks. This component grants attackers granular visibility into and control over the network stack of a compromised host. Its capabilities extend far beyond simple reconnaissance and play a pivotal role in various phases of an attack lifecycle, including discovery, lateral movement, and data exfiltration.
At a high level, the Network Manager feature typically offers the following capabilities:
- Active Connection Monitoring: Allows enumeration of all active network connections by associated processes. This includes remote IP addresses, ports, protocols (TCP/UDP over IPv4 and IPv6), and connection states (e.g.,
ESTABLISHED,LISTENING). - Network Configuration Retrieval: Extracts network adapter settings, DNS configurations, gateway information, and in some cases, stored credentials for Wi-Fi networks, including SSIDs and saved passwords.
- Connection Manipulation: Enables the attacker to initiate outbound connections (for data exfiltration or pivoting), or forcibly terminate existing connections (e.g., to disrupt legitimate user sessions or free up ports).
- Network Share Enumeration: Lists accessible file shares, including open SMB (Server Message Block) shares, mapped drives, and discoverable Windows network shares.
- Lateral Movement Support: By analyzing open ports and active connections, the attacker can identify adjacent systems and potential entry points for lateral movement within the environment.
- Network Resource Transfer: Use of alternative network protocols such as HTTP to exfiltrate data or fetch payloads, including mounting an HTTP, FTP or SSH server on the victim machine or leveraging an HTTP client to retrieve attacker-hosted resources.
| Categories | Disruption, Eavesdropping, Exfiltration, Lateral Movements, Credentials |
| Dangerousness | High |
Existing Techniques
| Name | Associated Feature(s) | Has Snippet | Matching Sample |
|---|---|---|---|
 HTTP File Download
|
Network Manager | 0 | |
 TCP / UDP Connection Enumeration
|
Network Manager | 0 |
Associated with Releases
| Version | Origins | Authors | Languages | Release Date |
|---|---|---|---|---|
 DarkComet RAT 5.3
|
France 🇫🇷 | DarkCoderSc | Assembly, Delphi | Jun, 2012 |
 DarkComet RAT 5.3.1
|
France 🇫🇷 | DarkCoderSc | Assembly, Delphi | Jun, 2012 |