Detectionhighexperimental

OpenCanary - NMAP FIN Scan

Detects instances where an OpenCanary node has been targeted by a NMAP FIN Scan

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Marco PedrinazziCreated Tue Jan 06eae8c0c8-e5da-450a-9d7d-66aa56cd26b6application

Log Source

opencanaryapplication

Productopencanary← raw: opencanary

Categoryapplication← raw: application

Detection Logic

detection:
    selection:
        logtype: 5005
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

eae8c0c8-e5da-450a-9d7d-66aa56cd26b6

Status

experimental

Level

high

Type

Detection

Created

Tue Jan 06

Author

Path

rules/application/opencanary/opencanary_portscan_nmap_fin_scan.yaml

Raw Tags

attack.discoveryattack.t1046