diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml
new file mode 100644
index 000000000..af22539c4
--- /dev/null
+++ b/rules/linux/lnx_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - Linux
+id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
+status: experimental
+description: Detects enumeration of local network configuration
+author: Ömer Günal and remotephone, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+    category: process_creation
+    product: unix
+detection:
+    selection1:
+        ProcessName|endswith:
+            - '/firewall-cmd'
+            - '/ufw'
+            - '/iptables'
+            - '/netstat'
+            - '/ss'
+            - '/ip'
+            - '/ifconfig'
+            - '/systemd-resolve'
+            - '/route'
+    selection2:
+        CommandLine|contains: '/etc/resolv.conf'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.discovery
+    - attack.t1016
diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml
new file mode 100644
index 000000000..2bf068e4e
--- /dev/null
+++ b/rules/linux/macos_system_network_discovery.yml
@@ -0,0 +1,32 @@
+title: System Network Discovery - macOS
+id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
+status: experimental
+description: Detects enumeration of local network configuration
+author: remotephone, oscd.community
+date: 2020/10/06
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection1:
+        ProcessName:
+            - '/usr/sbin/netstat'
+            - '/sbin/ifconfig'
+            - '/usr/sbin/ipconfig'
+            - '/usr/libexec/ApplicationFirewall/socketfilterfw'
+            - '/usr/sbin/networksetup'
+            - '/usr/sbin/arp'
+    selection2:
+        ProcessName: '/usr/bin/defaults'
+        Commandline|contains|all: 
+            - 'read'
+            - '/Library/Preferences/com.apple.alf'
+    condition: selection1 or selection2
+falsepositives:
+    - Legitimate administration activities
+level: low
+tags:
+    - attack.discovery
+    - attack.t1016