PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Sigma rule (View on GitHub)
1title: PUA - Nmap/Zenmap Execution
2id: f6ecd1cf-19b8-4488-97f6-00f0924991a3
3status: test
4description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
5references:
6 - https://nmap.org/
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
8author: frack113
9date: 2021/12/10
10modified: 2023/12/11
11tags:
12 - attack.discovery
13 - attack.t1046
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 - Image|endswith:
20 - '\nmap.exe'
21 - '\zennmap.exe'
22 - OriginalFileName:
23 - 'nmap.exe'
24 - 'zennmap.exe'
25 condition: selection
26falsepositives:
27 - Legitimate administrator activity
28level: medium
References
-
Nmap Free Security Scanner, Port Scanner, & Network Exploration Tool. Download open source software for Linux, Windows, UNIX, FreeBSD, etc.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Linux Network Service Scanning Tools Execution
- Linux Network Service Scanning - Auditd
- Network Scans Count By Destination IP