rules/linux/lnx_network_service_scanning.yml

action: global
title: Linux Network Service Scanning
status: experimental
description: Detects enumeration of local or remote network services.
author: Alejandro Ortuno, oscd.community
date: 2020/10/21
references:
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
falsepositives:
  - Legitimate administration activities
level: low
tags:
  - attack.discovery
  - attack.t1046
---
id: 3e102cd9-a70d-4a7a-9508-403963092f31
logsource:
  category: process_creation
  product: linux
  definition: 'Detect netcat and filter our listening mode'
detection:
  netcat:
    Image|endswith:
      - '/nc'
      - '/netcat'
  network_scanning_tools:
    Image|endswith:
      - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
      - '/nmap'
  netcat_listen_flag:
    CommandLine|contains: 'l'
  condition: (netcat and not netcat_listen_flag) or network_scanning_tools
---
id: 3761e026-f259-44e6-8826-719ed8079408
logsource:
  product: linux
  service: auditd
  definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183'
detection:
  selection:
    type: 'SYSCALL'
    exe|endswith:
      - '/telnet'
      - '/nmap'
      - '/netcat'
      - '/nc'
    key: 'network_connect_4'
  condition: selection
make it global rule 2020-11-06 09:56:49 +01:00			`action: global`
Sigma rules for network service scanning. 2020-10-21 09:41:40 +02:00			`title: Linux Network Service Scanning`
			`status: experimental`
			`description: Detects enumeration of local or remote network services.`
			`author: Alejandro Ortuno, oscd.community`
			`date: 2020/10/21`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md`
make it global rule 2020-11-06 09:56:49 +01:00			`falsepositives:`
			`- Legitimate administration activities`
Filter out listening mode on nc 2020-11-09 10:32:56 +01:00			`level: low`
make it global rule 2020-11-06 09:56:49 +01:00			`tags:`
			`- attack.discovery`
			`- attack.t1046`
			`---`
$frack113$ Update global ID 2021-09-02 20:07:03 +02:00			`id: 3e102cd9-a70d-4a7a-9508-403963092f31`
Sigma rules for network service scanning. 2020-10-21 09:41:40 +02:00			`logsource:`
			`category: process_creation`
Fix product 2020-10-21 10:13:28 +02:00			`product: linux`
Filter out listening mode on nc 2020-11-09 10:32:56 +01:00			`definition: 'Detect netcat and filter our listening mode'`
Sigma rules for network service scanning. 2020-10-21 09:41:40 +02:00			`detection:`
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00			`netcat:`
Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00			`Image\|endswith:`
Sigma rules for network service scanning. 2020-10-21 09:41:40 +02:00			`- '/nc'`
make it global rule 2020-11-06 09:56:49 +01:00			`- '/netcat'`
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00			`network_scanning_tools:`
Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00			`Image\|endswith:`
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00			`- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning`
			`- '/nmap'`
			`netcat_listen_flag:`
Filter out listening mode on nc 2020-11-09 10:32:56 +01:00			`CommandLine\|contains: 'l'`
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00			`condition: (netcat and not netcat_listen_flag) or network_scanning_tools`
make it global rule 2020-11-06 09:56:49 +01:00			`---`
$frack113$ Update global ID 2021-09-02 20:07:03 +02:00			`id: 3761e026-f259-44e6-8826-719ed8079408`
make it global rule 2020-11-06 09:56:49 +01:00			`logsource:`
			`product: linux`
			`service: auditd`
			`definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183'`
			`detection:`
			`selection:`
			`type: 'SYSCALL'`
			`exe\|endswith:`
			`- '/telnet'`
			`- '/nmap'`
Update lnx_network_service_scanning.yml 2020-11-16 01:00:09 +01:00			`- '/netcat'`
			`- '/nc'`
make it global rule 2020-11-06 09:56:49 +01:00			`key: 'network_connect_4'`
Fix rule indent 2020-11-02 22:57:01 +01:00			`condition: selection`