Linux Network Service Scanning - Auditd
Detects enumeration of local or remote network services.
Sigma rule (View on GitHub)
1title: Linux Network Service Scanning - Auditd
2id: 3761e026-f259-44e6-8826-719ed8079408
3related:
4 - id: 3e102cd9-a70d-4a7a-9508-403963092f31
5 type: derived
6status: test
7description: Detects enumeration of local or remote network services.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
10author: Alejandro Ortuno, oscd.community
11date: 2020/10/21
12modified: 2023/09/26
13tags:
14 - attack.discovery
15 - attack.t1046
16logsource:
17 product: linux
18 service: auditd
19 definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
20detection:
21 selection:
22 type: 'SYSCALL'
23 exe|endswith:
24 - '/telnet'
25 - '/nmap'
26 - '/netcat'
27 - '/nc'
28 - '/ncat'
29 - '/nc.openbsd'
30 key: 'network_connect_4'
31 condition: selection
32falsepositives:
33 - Legitimate administration activities
34level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Network Scans Count By Destination IP
- Network Scans Count By Destination Port
- Advanced IP Scanner - File Event
- MacOS Network Service Scanning
- ESXi Network Configuration Discovery Via ESXCLI