Unusual Linux Network Configuration Discovery
Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/03"
3integration = ["auditd_manager", "endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/27"
8
9[rule]
10anomaly_threshold = 25
11author = ["Elastic"]
12description = """
13Looks for commands related to system network configuration discovery from an unusual user context. This can be due to
14uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor
15to engage in system network configuration discovery in order to increase their understanding of connected networks and
16hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
17"""
18false_positives = [
19 """
20 Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual
21 troubleshooting or reconfiguration.
22 """,
23]
24from = "now-45m"
25interval = "15m"
26license = "Elastic License v2"
27machine_learning_job_id = ["v3_linux_network_configuration_discovery"]
28name = "Unusual Linux Network Configuration Discovery"
29risk_score = 21
30rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9"
31severity = "low"
32tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"]
33type = "machine_learning"
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1016"
38name = "System Network Configuration Discovery"
39reference = "https://attack.mitre.org/techniques/T1016/"
40
41
42[rule.threat.tactic]
43id = "TA0007"
44name = "Discovery"
45reference = "https://attack.mitre.org/tactics/TA0007/"
Related rules
- Unusual Linux Network Connection Discovery
- Unusual Linux Process Discovery Activity
- Unusual Linux System Information Discovery Activity
- Unusual Linux User Discovery Activity
- Anomalous Linux Compiler Activity