Linux Network Service Scanning Tools Execution

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

Sigma rule (View on GitHub)

 1title: Linux Network Service Scanning Tools Execution
 2id: 3e102cd9-a70d-4a7a-9508-403963092f31
 3status: test
 4description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
 7    - https://github.com/projectdiscovery/naabu
 8    - https://github.com/Tib3rius/AutoRecon
 9author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
10date: 2020-10-21
11modified: 2024-09-19
12tags:
13    - attack.discovery
14    - attack.t1046
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection_netcat:
20        Image|endswith:
21            - '/nc'
22            - '/ncat'
23            - '/netcat'
24            - '/socat'
25    selection_network_scanning_tools:
26        Image|endswith:
27            - '/autorecon'
28            - '/hping'
29            - '/hping2'
30            - '/hping3'
31            - '/naabu'
32            - '/nmap'
33            - '/nping'
34            - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
35            - '/zenmap'
36    filter_main_netcat_listen_flag:
37        CommandLine|contains:
38            - ' --listen '
39            - ' -l '
40    condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
41falsepositives:
42    - Legitimate administration activities
43level: low

References

Related rules

to-top