MacOS Network Service Scanning
Detects enumeration of local or remote network services.
Sigma rule (View on GitHub)
1title: MacOS Network Service Scanning
2id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f
3status: test
4description: Detects enumeration of local or remote network services.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
7author: Alejandro Ortuno, oscd.community
8date: 2020-10-21
9modified: 2021-11-27
10tags:
11 - attack.discovery
12 - attack.t1046
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 selection_1:
18 Image|endswith:
19 - '/nc'
20 - '/netcat'
21 selection_2:
22 Image|endswith:
23 - '/nmap'
24 - '/telnet'
25 filter:
26 CommandLine|contains: 'l'
27 condition: (selection_1 and not filter) or selection_2
28falsepositives:
29 - Legitimate administration activities
30level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Advanced IP Scanner - File Event
- Linux Network Service Scanning - Auditd
- PUA - Advanced IP Scanner Execution
- PUA - Advanced Port Scanner Execution
- PUA - Nmap/Zenmap Execution