PUA - Nmap/Zenmap Execution

 1title: PUA - Nmap/Zenmap Execution
 2id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
 3status: test
 4description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
 5references:
 6    - https://nmap.org/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
 8author: frack113
 9date: 2021-12-10
10modified: 2023-12-11
11tags:
12    - attack.discovery
13    - attack.t1046
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        - Image|endswith:
20              - '\nmap.exe'
21              - '\zennmap.exe'
22        - OriginalFileName:
23              - 'nmap.exe'
24              - 'zennmap.exe'
25    condition: selection
26falsepositives:
27    - Legitimate administrator activity
28level: medium

References

• Nmap: the Network Mapper - Free Security Scanner

  Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, UNIX, FreeBSD, etc.

  
  Read More

• atomic-red-team/atomics/T1046/T1046.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• Advanced IP Scanner - File Event
• Linux Network Service Scanning - Auditd
• MacOS Network Service Scanning
• PUA - Advanced IP Scanner Execution
• PUA - Advanced Port Scanner Execution