Description
Network Manager is a feature only present in most sophisticated Remote Access Trojans (RATs) and Command and Control (C2) frameworks. This component grants attackers granular visibility into and control over the network stack of a compromised host. Its capabilities extend far beyond simple reconnaissance and play a pivotal role in various phases of an attack lifecycle, including discovery, lateral movement, and data exfiltration.
At a high level, the Network Manager feature typically offers the following capabilities:
-
Active Connection Monitoring: Allows enumeration of all active network connections by associated processes. This includes remote IP addresses, ports, protocols (TCP/UDP over IPv4 and IPv6), and connection states (e.g.,
ESTABLISHED,LISTENING). -
Network Configuration Retrieval: Extracts network adapter settings, DNS configurations, gateway information, and in some cases, stored credentials for Wi-Fi networks, including SSIDs and saved passwords.
-
Connection Manipulation: Enables the attacker to initiate outbound connections (for data exfiltration or pivoting), or forcibly terminate existing connections (e.g., to disrupt legitimate user sessions or free up ports).
-
Network Share Enumeration: Lists accessible file shares, including open SMB (Server Message Block) shares, mapped drives, and discoverable Windows network shares.
-
Lateral Movement Support: By analyzing open ports and active connections, the attacker can identify adjacent systems and potential entry points for lateral movement within the environment.
-
Network Resource Transfer: Use of alternative network protocols such as HTTP to exfiltrate data or fetch payloads, including mounting an HTTP, FTP or SSH server on the victim machine or leveraging an HTTP client to retrieve attacker-hosted resources.
-
Packet Sniffing: Captures and analyzes live network traffic passing through the compromised system, allowing attackers to extract sensitive data (such as credentials or confidential documents), monitor user activity etc.
-
Port Redirection / Proxy: Channels network traffic between local or remote ports, enabling attackers to bypass firewalls, mask their true origin by using the compromised host as a proxy, and facilitate deeper access into the network by rerouting traffic to internal targets.
-
Port Scanning: Probes internal or external systems to identify open ports and exposed services, providing reconnaissance for further exploitation.
| Categories | Credentials, Lateral Movements, Exfiltration, Eavesdropping, Disruption |
| Dangerousness | High |
Existing Techniques
| Name | Associated Feature(s) | Has Snippet | Matching Sample |
|---|---|---|---|
 Network Shares Enumeration
|
File Manager, Network Manager | 0 | |
 Port Scanner
|
Network Manager | 0 |
NetBus 1.70
Back Orifice 2000 (BO2K) 1.0
SubSeven 2.1
SubSeven 2.1.1 GOLD edition
SubSeven 2.1.2 M.U.I.E
SubSeven 2.1.3 BONUS
SubSeven 2.1.4 DEFCON 8
SubSeven 2.2
Ghost 2.4
MoSucker 3.0b
SubSeven 2.1.5 Legends
Beast 2.01
Optix Pro 1.32
CIA 1.2
Beast 2.05
Beast 2.02
Nuclear RAT 1.0 Beta 5
Beast 2.06
Infector NG 2004 2.1.0
Optix Pro 1.33
Beast 2.07
Flux 1.0
Institution 2004 0.4.0
CIA 1.3
Seed 1.1
Bandook 1.35
Poison Ivy 2.3.0
sharK 2.4.0 Fwb+
Nuclear RAT 2.1.0
Poison Ivy 2.3.2
sharK 3.1 fwb++
Spy-Net 2.6
DarkComet RAT 2.0 RC4
CyberGate 1.04.8
DarkComet RAT 2.0 RC7
Xtreme RAT 2.9
DarkComet RAT 5.3
DarkComet RAT 5.3.1
Quasar 1.0