Detectionlowtest

Linux Network Service Scanning - Auditd

Detects enumeration of local or remote network services.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alejandro Ortuno, oscd.communityCreated Wed Oct 21Updated Tue Sep 263761e026-f259-44e6-8826-719ed8079408linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Definition

Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183

Detection Logic

detection:
    selection:
        type: 'SYSCALL'
        exe|endswith:
            - '/telnet'
            - '/nmap'
            - '/netcat'
            - '/nc'
            - '/ncat'
            - '/nc.openbsd'
        key: 'network_connect_4'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1046 · Network Service Discovery

Related Rules

DerivedDetectionlow

Linux Network Service Scanning Tools Execution

Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

3761e026-f259-44e6-8826-719ed8079408

Status

test

Level

low

Type

Detection

Created

Wed Oct 21

Modified

Tue Sep 26

Author

Alejandro Ortuno, oscd.community

Path

rules/linux/auditd/syscall/lnx_auditd_network_service_scanning.yml

Raw Tags

attack.discoveryattack.t1046

View on GitHub