Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Sigma rule (View on GitHub)
1title: Suspicious Network Command
2id: a29c1813-ab1f-4dde-b489-330b952e91ae
3status: test
4description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
7author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
8date: 2021-12-07
9modified: 2022-04-11
10tags:
11 - attack.discovery
12 - attack.t1016
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains:
19 - 'ipconfig /all'
20 - 'netsh interface show interface'
21 - 'arp -a'
22 - 'nbtstat -n'
23 - 'net config'
24 - 'route print'
25 condition: selection
26falsepositives:
27 - Administrator, hotline ask to user
28level: low
References
Related rules
- Cisco Discovery
- Nltest.EXE Execution
- OpenCanary - SNMP OID Request
- Potential Recon Activity Via Nltest.EXE
- Suspicious Network Connection to IP Lookup Service APIs