Linux Network Service Scanning - Auditd

Aug 12, 2024 · attack.discovery attack.t1046 ·

Detects enumeration of local or remote network services.

Sigma rule (View on GitHub)

 1title: Linux Network Service Scanning - Auditd
 2id: 3761e026-f259-44e6-8826-719ed8079408
 3related:
 4    - id: 3e102cd9-a70d-4a7a-9508-403963092f31
 5      type: derived
 6status: test
 7description: Detects enumeration of local or remote network services.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
10author: Alejandro Ortuno, oscd.community
11date: 2020-10-21
12modified: 2023-09-26
13tags:
14    - attack.discovery
15    - attack.t1046
16logsource:
17    product: linux
18    service: auditd
19    definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
20detection:
21    selection:
22        type: 'SYSCALL'
23        exe|endswith:
24            - '/telnet'
25            - '/nmap'
26            - '/netcat'
27            - '/nc'
28            - '/ncat'
29            - '/nc.openbsd'
30        key: 'network_connect_4'
31    condition: selection
32falsepositives:
33    - Legitimate administration activities
34level: low

References

atomic-red-team/atomics/T1046/T1046.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

Read More

Linux Network Service Scanning - Auditd

Sigma rule (View on GitHub)

References

atomic-red-team/atomics/T1046/T1046.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

Related rules