updating files to cover broader network discovery logic, renaming alert, adding recommended changes

2020-10-13 00:39:53 -05:00
parent 781c7ce6dc
commit a85c19db17
3 changed files with 40 additions and 34 deletions
@@ -1,4 +1,4 @@
-title: System Network Discovery - Firewall Enumeration
+title: System Network Discovery - Linux
 id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c
 status: experimental
 description: Detects enumeration of firewall configuration
@@ -11,18 +11,18 @@ logsource:
    product: unix
 detection:
    selection:
-        CommandLine|contains:
-            # Linux Only
-            - 'arp -a'
-            - 'ip'
-            - 'ss'
-            # macOS and Linux
-            - 'netstat'
-            - 'ifconfig'
+        ProcessName:
+            - '/usr/bin/firewall-cmd'
+            - '/usr/sbin/ufw'
+            - '/usr/sbin/iptables'
+            - '/usr/bin/netstat'
+            - '/usr/bin/ss'
+            - '/usr/sbin/ip'
+            - '/usr/sbin/ifconfig'
    condition: selection
 falsepositives:
    - Legitimate administration activities
 level: low
 tags:
    - attack.discovery
-    - attack.t1016
+    - attack.t1016
@@ -1,24 +0,0 @@
-title: System Network Discovery - Firewall Enumeration
-id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c
-status: experimental
-description: Detects enumeration of firewall configuration
-author: remotephone, oscd.community
-date: 2020/10/06
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
-logsource:
-    product: macos
-detection:
-    selection:
-        ParentCommandLine|contains:
-            - 'netstat'
-            - 'ifconfig'
-            - 'defaults read /Library/Preferences/com.apple.alf'
-            - 'socketfilterfw'
-    condition: selection
-falsepositives:
-    - Legitimate administration activities
-level: low
-tags:
-    - attack.discovery
-    - attack.t1016
@@ -0,0 +1,30 @@
+title: System Network Discovery - macOS
+id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c
+status: experimental
+description: Detects enumeration of firewall configuration
+author: remotephone, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        ProcessName:
+            - '/usr/sbin/netstat'
+            - '/sbin/ifconfig'
+            - '/usr/sbin/ipconfig'
+            - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+            - '/usr/sbin/networksetup'
+            - '/usr/sbin/arp'
+    selection2:
+        ProcessName: '/usr/bin/defaults'
+        Commandline|contains: 'read /Library/Preferences/com.apple.alf'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.discovery
+    - attack.t1016