Adversaries may use Linux Remote System Discovery to identify and map networked systems, enabling further lateral movement and compromise. SOC teams should proactively hunt for this behavior to detect early-stage reconnaissance efforts and prevent potential network-wide breaches.
Detection Rule
title: Linux Remote System Discovery
id: 11063ec2-de63-4153-935e-b1a8b9e616f1
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: linux
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where (TargetProcessName endswith "/arp" and TargetProcessCommandLine contains "-a") or (TargetProcessName endswith "/ping" and (TargetProcessCommandLine contains " 10." or TargetProcessCommandLine contains " 192.168." or TargetProcessCommandLine contains " 172.16." or TargetProcessCommandLine contains " 172.17." or TargetProcessCommandLine contains " 172.18." or TargetProcessCommandLine contains " 172.19." or TargetProcessCommandLine contains " 172.20." or TargetProcessCommandLine contains " 172.21." or TargetProcessCommandLine contains " 172.22." or TargetProcessCommandLine contains " 172.23." or TargetProcessCommandLine contains " 172.24." or TargetProcessCommandLine contains " 172.25." or TargetProcessCommandLine contains " 172.26." or TargetProcessCommandLine contains " 172.27." or TargetProcessCommandLine contains " 172.28." or TargetProcessCommandLine contains " 172.29." or TargetProcessCommandLine contains " 172.30." or TargetProcessCommandLine contains " 172.31." or TargetProcessCommandLine contains " 127." or TargetProcessCommandLine contains " 169.254."))Scenario: System Administrator Performing Scheduled Job Discovery
Description: A system administrator is using nmap to periodically scan internal systems as part of routine network health checks.
Filter/Exclusion: Exclude IP addresses from the internal network range (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or filter by user root or admin performing the scan.
Scenario: Use of nmap for Network Inventory Purposes
Description: A network team is using nmap to inventory all devices on the network as part of asset management.
Filter/Exclusion: Exclude traffic originating from known inventory tools or IP ranges used for network discovery, or filter by specific nmap command-line arguments (e.g., -sL for list mode).
Scenario: Remote Administration via SSH with ssh and ssh-keyscan
Description: An admin is using ssh-keyscan to gather SSH host keys for a group of remote servers to facilitate secure connections.
Filter/Exclusion: Exclude connections to known admin hosts or filter by the presence of ssh-keyscan in the command line, or exclude traffic to hosts in the known_hosts file.
Scenario: Use of tcpdump for Network Monitoring
Description: A security analyst is using tcpdump to capture and analyze network traffic for troubleshooting or monitoring purposes.
Filter/Exclusion: Exclude traffic from the tcpdump process itself, or filter by specific capture filters (e.g., tcpdump -i eth0 port 22 for SSH traffic only).
Scenario: System Inventory via systemd or init Scripts