Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Sigma rule (View on GitHub)
1title: Suspicious Scan Loop Network
2id: f8ad2e2c-40b6-4117-84d7-20b89896ab23
3status: test
4description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
7 - https://ss64.com/nt/for.html
8 - https://ss64.com/ps/foreach-object.html
9author: frack113
10date: 2022-03-12
11tags:
12 - attack.execution
13 - attack.t1059
14 - attack.discovery
15 - attack.t1018
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_loop:
21 CommandLine|contains:
22 - 'for '
23 - 'foreach '
24 selection_tools:
25 CommandLine|contains:
26 - 'nslookup'
27 - 'ping'
28 condition: all of selection_*
29falsepositives:
30 - Legitimate script
31level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
FOR Conditionally perform a command several times. syntax-FOR-Files (or a list of folders). FOR %%parameter IN (set) DO command syntax-FOR-Files-Rooted at Path FOR /R [[drive:]path] %%parameter IN ...
Read More -
ForEach-Object Perform an operation (execute a block of statements) against each item in a collection of input objects, typically passed through the pipeline. Syntax ForEach-Object [-process] Scrip...
Read More
Related rules
- Hacktool Ruler
- Turla Group Lateral Movement
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Abusable DLL Potential Sideloading From Suspicious Location