Unusual Linux Network Configuration Discovery
Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/03"
3integration = ["auditd_manager", "endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8anomaly_threshold = 25
9author = ["Elastic"]
10description = """
11Looks for commands related to system network configuration discovery from an unusual user context. This can be due to
12uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor
13to engage in system network configuration discovery in order to increase their understanding of connected networks and
14hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.
15"""
16false_positives = [
17 """
18 Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual
19 troubleshooting or reconfiguration.
20 """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_linux_network_configuration_discovery"]
26name = "Unusual Linux Network Configuration Discovery"
27setup = """## Setup
28
29This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
30- Elastic Defend
31- Auditd Manager
32
33### Anomaly Detection Setup
34
35Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
36
37### Elastic Defend Integration Setup
38Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
39
40#### Prerequisite Requirements:
41- Fleet is required for Elastic Defend.
42- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
43
44#### The following steps should be executed in order to add the Elastic Defend integration to your system:
45- Go to the Kibana home page and click "Add integrations".
46- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
47- Click "Add Elastic Defend".
48- Configure the integration name and optionally add a description.
49- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
50- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
51- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
52- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
53For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
54- Click "Save and Continue".
55- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
56For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
57
58### Auditd Manager Integration Setup
59The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
60Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
61
62#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
63- Go to the Kibana home page and click “Add integrations”.
64- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
65- Click “Add Auditd Manager”.
66- Configure the integration name and optionally add a description.
67- Review optional and advanced settings accordingly.
68- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
69- Click “Save and Continue”.
70- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
71
72#### Rule Specific Setup Note
73Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
74However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
75- For this detection rule no additional audit rules are required.
76"""
77risk_score = 21
78rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9"
79severity = "low"
80tags = [
81 "Domain: Endpoint",
82 "OS: Linux",
83 "Use Case: Threat Detection",
84 "Rule Type: ML",
85 "Rule Type: Machine Learning",
86 "Tactic: Discovery",
87 "Resources: Investigation Guide",
88]
89type = "machine_learning"
90note = """## Triage and analysis
91
92> **Disclaimer**:
93> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
94
95### Investigating Unusual Linux Network Configuration Discovery
96
97In Linux environments, network configuration tools are essential for managing and troubleshooting network settings. Adversaries may exploit these tools to gather network details, aiding in lateral movement or further reconnaissance. The detection rule leverages machine learning to identify atypical usage patterns of network commands by unexpected users, signaling potential account compromise or unauthorized network probing.
98
99### Possible investigation steps
100
101- Review the alert details to identify the specific network configuration commands executed and the user account involved. Focus on commands that are typically used for network discovery, such as `ifconfig`, `ip`, `netstat`, or `route`.
102- Check the user's login history and session details to determine if the account activity aligns with the user's normal behavior or if there are signs of unauthorized access, such as logins from unusual IP addresses or at odd times.
103- Investigate the user's role and responsibilities to assess whether they have a legitimate reason to perform network configuration discovery. This can help determine if the activity is expected or suspicious.
104- Examine recent changes in user permissions or group memberships that might have allowed the execution of network configuration commands by an unexpected user.
105- Correlate the alert with other security events or logs, such as authentication logs, to identify any related suspicious activities, such as failed login attempts or privilege escalation attempts.
106- If the account is suspected to be compromised, initiate a password reset and review the system for any signs of further compromise or malicious activity, such as unauthorized software installations or data exfiltration attempts.
107
108### False positive analysis
109
110- Routine administrative tasks by system administrators may trigger the rule. To manage this, create exceptions for known admin accounts performing regular network configuration checks.
111- Automated scripts or cron jobs that perform network diagnostics can be mistaken for unusual activity. Identify and whitelist these scripts to prevent false alerts.
112- Network monitoring tools running under specific service accounts might be flagged. Ensure these service accounts are documented and excluded from the rule.
113- Developers or IT staff conducting legitimate troubleshooting in non-production environments may cause alerts. Establish a process to temporarily exclude these users during known maintenance windows.
114- New employees or contractors performing onboarding tasks might trigger the rule. Implement a review process to quickly assess and exclude these cases if they are verified as non-threatening.
115
116### Response and remediation
117
118- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
119- Terminate any suspicious processes or sessions initiated by the unusual user to halt ongoing reconnaissance activities.
120- Conduct a thorough review of the affected user's account for signs of compromise, such as unauthorized access attempts or changes in user privileges.
121- Reset the credentials of the compromised account and enforce multi-factor authentication to prevent future unauthorized access.
122- Analyze network logs and system activity to identify any additional systems that may have been accessed or probed by the adversary.
123- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
124- Update detection mechanisms to include newly identified indicators of compromise (IOCs) and enhance monitoring for similar unusual network configuration discovery activities."""
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1016"
129name = "System Network Configuration Discovery"
130reference = "https://attack.mitre.org/techniques/T1016/"
131
132
133[rule.threat.tactic]
134id = "TA0007"
135name = "Discovery"
136reference = "https://attack.mitre.org/tactics/TA0007/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Linux Network Configuration Discovery
In Linux environments, network configuration tools are essential for managing and troubleshooting network settings. Adversaries may exploit these tools to gather network details, aiding in lateral movement or further reconnaissance. The detection rule leverages machine learning to identify atypical usage patterns of network commands by unexpected users, signaling potential account compromise or unauthorized network probing.
Possible investigation steps
- Review the alert details to identify the specific network configuration commands executed and the user account involved. Focus on commands that are typically used for network discovery, such as
ifconfig
,ip
,netstat
, orroute
. - Check the user's login history and session details to determine if the account activity aligns with the user's normal behavior or if there are signs of unauthorized access, such as logins from unusual IP addresses or at odd times.
- Investigate the user's role and responsibilities to assess whether they have a legitimate reason to perform network configuration discovery. This can help determine if the activity is expected or suspicious.
- Examine recent changes in user permissions or group memberships that might have allowed the execution of network configuration commands by an unexpected user.
- Correlate the alert with other security events or logs, such as authentication logs, to identify any related suspicious activities, such as failed login attempts or privilege escalation attempts.
- If the account is suspected to be compromised, initiate a password reset and review the system for any signs of further compromise or malicious activity, such as unauthorized software installations or data exfiltration attempts.
False positive analysis
- Routine administrative tasks by system administrators may trigger the rule. To manage this, create exceptions for known admin accounts performing regular network configuration checks.
- Automated scripts or cron jobs that perform network diagnostics can be mistaken for unusual activity. Identify and whitelist these scripts to prevent false alerts.
- Network monitoring tools running under specific service accounts might be flagged. Ensure these service accounts are documented and excluded from the rule.
- Developers or IT staff conducting legitimate troubleshooting in non-production environments may cause alerts. Establish a process to temporarily exclude these users during known maintenance windows.
- New employees or contractors performing onboarding tasks might trigger the rule. Implement a review process to quickly assess and exclude these cases if they are verified as non-threatening.
Response and remediation
- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Terminate any suspicious processes or sessions initiated by the unusual user to halt ongoing reconnaissance activities.
- Conduct a thorough review of the affected user's account for signs of compromise, such as unauthorized access attempts or changes in user privileges.
- Reset the credentials of the compromised account and enforce multi-factor authentication to prevent future unauthorized access.
- Analyze network logs and system activity to identify any additional systems that may have been accessed or probed by the adversary.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional containment measures are necessary.
- Update detection mechanisms to include newly identified indicators of compromise (IOCs) and enhance monitoring for similar unusual network configuration discovery activities.
Related rules
- Unusual Linux Network Connection Discovery
- Unusual Linux Process Discovery Activity
- Unusual Linux System Information Discovery Activity
- Unusual Linux User Discovery Activity
- Anomalous Linux Compiler Activity