Nmap Process Activity

calendar Apr 21, 2021 · Elastic Host Linux Threat Detection  ·
Share on: linkedin copy

Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and discover networks, and identify listening services and operating systems. It is sometimes used to gather information in support of exploitation, execution or lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3deprecation_date = "2021/04/15"
 4maturity = "deprecated"
 5updated_date = "2021/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and
11discover networks, and identify listening services and operating systems. It is sometimes used to gather information in
12support of exploitation, execution or lateral movement.
13"""
14false_positives = [
15    """
16    Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this
17    command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is
18    uncommon.
19    """,
20]
21from = "now-9m"
22index = ["auditbeat-*", "logs-endpoint.events.*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Nmap Process Activity"
26references = ["https://en.wikipedia.org/wiki/Nmap"]
27risk_score = 21
28rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
29severity = "low"
30tags = ["Elastic", "Host", "Linux", "Threat Detection"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:process and event.type:(start or process_started) and process.name:nmap
36'''

References

  • Nmap - Wikipedia

    Not to be confused with mmap. Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich).[5] Nmap is used to discover hosts and services on a c...


    Read More

Related rules

to-top