Merge pull request #1260 from alejandroortuno/remote-system-discovery

[OSCD] Remote System Discovery
2020-12-21 18:32:08 +01:00
parent 64197d0dec 000c038ede
commit 7954684fbf
2 changed files with 93 additions and 0 deletions
@@ -0,0 +1,45 @@
+title: Linux Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: linux
+detection:
+  selection_1:
+    ProcessName|endswith: '/arp'
+    CommandLine|contains: '-a'
+  selection_2:
+    ProcessName|endswith: '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives:
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1018
@@ -0,0 +1,48 @@
+title: Macos Remote System Discovery
+id: 11063ec2-de63-4153-935e-b1a8b9e616f1
+status: experimental
+description: Detects the enumeration of other remote systems.
+author: Alejandro Ortuno, oscd.community
+date: 2020/10/22
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  selection_1:
+    ProcessName|endswith:
+      - '/arp'
+    CommandLine|contains:
+      - '-a'
+  selection_2:
+    ProcessName|endswith:
+      - '/ping'
+    CommandLine|contains:
+      - ' 10.' #10.0.0.0/8
+      - ' 192.168.' #192.168.0.0/16
+      - ' 172.16.' #172.16.0.0/12
+      - ' 172.17.'
+      - ' 172.18.'
+      - ' 172.19.'
+      - ' 172.20.'
+      - ' 172.21.'
+      - ' 172.22.'
+      - ' 172.23.'
+      - ' 172.24.'
+      - ' 172.25.'
+      - ' 172.26.'
+      - ' 172.27.'
+      - ' 172.28.'
+      - ' 172.29.'
+      - ' 172.30.'
+      - ' 172.31.'
+      - ' 127.' #127.0.0.0/8
+      - ' 169.254.' #169.254.0.0/16
+  condition: 1 of them
+falsepositives: 
+  - Legitimate administration activities
+level: low
+tags:
+  - attack.discovery
+  - attack.t1018