SigmaHQ/rules/linux/lnx_system_network_discovery.yml

title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: experimental
description: Detects enumeration of local network configuration
author: remotephone, oscd.community
date: 2020/10/06
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
logsource:
    category: process_creation
    product: unix
detection:
    selection:
        ProcessName:
            - '/usr/bin/firewall-cmd'
            - '/usr/sbin/ufw'
            - '/usr/sbin/iptables'
            - '/usr/bin/netstat'
            - '/usr/bin/ss'
            - '/usr/sbin/ip'
            - '/usr/sbin/ifconfig'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.discovery
    - attack.t1016
updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 05:39:53 +00:00			`title: System Network Discovery - Linux`
updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-14 03:09:37 +00:00			`id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa`
change new lines to LF instead of CLRF 2020-10-08 04:02:03 +00:00			`status: experimental`
updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-14 03:09:37 +00:00			`description: Detects enumeration of local network configuration`
change new lines to LF instead of CLRF 2020-10-08 04:02:03 +00:00			`author: remotephone, oscd.community`
			`date: 2020/10/06`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md`
			`logsource:`
updating keywords to CommandLine\|contains and splitting rule into two 2020-10-12 03:43:28 +00:00			`category: process_creation`
change new lines to LF instead of CLRF 2020-10-08 04:02:03 +00:00			`product: unix`
			`detection:`
updating keywords to CommandLine\|contains and splitting rule into two 2020-10-12 03:43:28 +00:00			`selection:`
updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 05:39:53 +00:00			`ProcessName:`
			`- '/usr/bin/firewall-cmd'`
			`- '/usr/sbin/ufw'`
			`- '/usr/sbin/iptables'`
			`- '/usr/bin/netstat'`
			`- '/usr/bin/ss'`
			`- '/usr/sbin/ip'`
			`- '/usr/sbin/ifconfig'`
updating keywords to CommandLine\|contains and splitting rule into two 2020-10-12 03:43:28 +00:00			`condition: selection`
change new lines to LF instead of CLRF 2020-10-08 04:02:03 +00:00			`falsepositives:`
			`- Legitimate administration activities`
			`level: low`
			`tags:`
			`- attack.discovery`
updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 05:39:53 +00:00			`- attack.t1016`