The hypothesis is that an adversary is using network scanning tools to enumerate active services on a target network, which is a common early-stage reconnaissance behavior in cyber attacks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and disrupt adversarial reconnaissance efforts before they escalate.
Detection Rule
title: Linux Network Service Scanning Tools Execution
id: 3e102cd9-a70d-4a7a-9508-403963092f31
status: test
description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
- https://github.com/projectdiscovery/naabu
- https://github.com/Tib3rius/AutoRecon
author: Alejandro Ortuno, oscd.community, Georg Lauenstein (sure[secure])
date: 2020-10-21
modified: 2024-09-19
tags:
- attack.discovery
- attack.t1046
logsource:
category: process_creation
product: linux
detection:
selection_netcat:
Image|endswith:
- '/nc'
- '/ncat'
- '/netcat'
- '/socat'
selection_network_scanning_tools:
Image|endswith:
- '/autorecon'
- '/hping'
- '/hping2'
- '/hping3'
- '/naabu'
- '/nmap'
- '/nping'
- '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning
- '/zenmap'
filter_main_netcat_listen_flag:
CommandLine|contains:
- ' --listen '
- ' -l '
condition: (selection_netcat and not filter_main_netcat_listen_flag) or selection_network_scanning_tools
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where ((TargetProcessName endswith "/nc" or TargetProcessName endswith "/ncat" or TargetProcessName endswith "/netcat" or TargetProcessName endswith "/socat") and (not((TargetProcessCommandLine contains " --listen " or TargetProcessCommandLine contains " -l ")))) or (TargetProcessName endswith "/autorecon" or TargetProcessName endswith "/hping" or TargetProcessName endswith "/hping2" or TargetProcessName endswith "/hping3" or TargetProcessName endswith "/naabu" or TargetProcessName endswith "/nmap" or TargetProcessName endswith "/nping" or TargetProcessName endswith "/telnet" or TargetProcessName endswith "/zenmap")Scenario: System administrator running a scheduled network scan using nmap to verify open ports on internal servers.
Filter/Exclusion: Check for the presence of a scheduled job or script in /etc/cron.d/ or /etc/cron.hourly/ that includes nmap with known internal IP ranges.
Scenario: Security team performing a vulnerability assessment using Masscan to identify exposed services on the public internet.
Filter/Exclusion: Filter events where the source IP is from a known internal security team IP range or where the destination IP is a public IP used for security testing.
Scenario: DevOps team using tcpdump to capture and analyze network traffic for debugging application communication.
Filter/Exclusion: Check for the presence of a tcpdump script in a known DevOps tooling directory (e.g., /opt/devops/scripts/) or filter by command-line arguments that indicate packet capture rather than active scanning.
Scenario: IT staff using telnet to test connectivity to a legacy application server during routine maintenance.
Filter/Exclusion: Filter events where the command includes a known internal server hostname or IP, and the user is part of the IT maintenance team (e.g., user in /etc/passwd with a specific group).
Scenario: Automated CI/CD pipeline using nc (netcat) to verify service availability during deployment.
Filter/Exclusion: Check for the presence of a CI/CD job in a known pipeline directory (e.g., /opt/jenkins/jobs/) or filter by command-line arguments that indicate a simple connectivity check (e.g., -zv for nc).