rules/linux/lnx_system_network_discovery.yml

title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: experimental
description: Detects enumeration of local network configuration
author: Ömer Günal and remotephone, oscd.community
date: 2020/10/06
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
logsource:
    category: process_creation
    product: linux
detection:
    selection1:
        Image|endswith:
            - '/firewall-cmd'
            - '/ufw'
            - '/iptables'
            - '/netstat'
            - '/ss'
            - '/ip'
            - '/ifconfig'
            - '/systemd-resolve'
            - '/route'
    selection2:
        CommandLine|contains: '/etc/resolv.conf'
    condition: selection1 or selection2
falsepositives:
    - Legitimate administration activities
level: informational
tags:
    - attack.discovery
    - attack.t1016
updating files to cover broader network discovery logic, renaming alert, adding recommended changes 2020-10-13 00:39:53 -05:00			`title: System Network Discovery - Linux`
updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-13 22:09:37 -05:00			`id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa`
change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00			`status: experimental`
updating to select commandline arguments correctly for macos rule, and cleaning up description across both rules 2020-10-13 22:09:37 -05:00			`description: Detects enumeration of local network configuration`
Updated author section 2020-10-16 22:02:58 -05:00			`author: Ömer Günal and remotephone, oscd.community`
change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00			`date: 2020/10/06`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md`
			`logsource:`
updating keywords to CommandLine\|contains and splitting rule into two 2020-10-11 22:43:28 -05:00			`category: process_creation`
Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00			`product: linux`
change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00			`detection:`
Merge changes from pull 1084 with this one 2020-10-16 22:01:44 -05:00			`selection1:`
Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00			`Image\|endswith:`
Update to handle different file locations 2020-10-16 21:54:41 -05:00			`- '/firewall-cmd'`
			`- '/ufw'`
			`- '/iptables'`
			`- '/netstat'`
			`- '/ss'`
			`- '/ip'`
			`- '/ifconfig'`
Merge changes from pull 1084 with this one 2020-10-16 22:01:44 -05:00			`- '/systemd-resolve'`
			`- '/route'`
			`selection2:`
			`CommandLine\|contains: '/etc/resolv.conf'`
			`condition: selection1 or selection2`
change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00			`falsepositives:`
			`- Legitimate administration activities`
Fixes and improvements 2021-04-03 00:00:43 +02:00			`level: informational`
change new lines to LF instead of CLRF 2020-10-07 23:02:03 -05:00			`tags:`
			`- attack.discovery`
adding new line at end of file 2020-10-13 22:44:02 -05:00			`- attack.t1016`