security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff2ba5f876a135e38db4e4300f060afc249d95c1
blue-team-tools/rules/linux/lnx_system_net_disc_firewall_enum.yml
T
remotephone@gmail.com ff2ba5f876 double checking new line characters
2020-10-07 22:43:38 -05:00

32 lines
929 B
YAML
Raw Blame History

title: System Network Discovery Firewall Enumeration
status: experimental
id: 71da9e5a-fb1e-46a8-abc1-28c80173af4c
description: Detects enumeration of firewall configuration
author: remotephone, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md
- https://attack.mitre.org/techniques/T1016
logsource:
product: unix
detection:
keywords:
# Linux Only
- 'arp -a'
- 'ip'
- 'ss'
# macOS and Linux
- 'netstat'
- 'ifconfig'
# macOS only
- 'defaults read /Library/Preferences/com.apple.alf'
- 'socketfilterfw'
condition: keywords
falsepositives:
- Legitimate administration activities
- Redirecting output of echo command to a path that contains the word "cron"
level: low
tags:
- attack.discovery
- attack.t1016
Reference in New Issue View Git Blame Copy Permalink