Adversaries may use system utilities to discover active network connections, indicating reconnaissance or lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and limit lateral movement in their environment.
Detection Rule
title: System Network Connections Discovery - Linux
id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2023-01-17
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
filter_landscape_sysinfo:
ParentCommandLine|contains: '/usr/bin/landscape-sysinfo'
Image|endswith: '/who'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate activities
level: low
imProcessCreate
| where (TargetProcessName endswith "/who" or TargetProcessName endswith "/w" or TargetProcessName endswith "/last" or TargetProcessName endswith "/lsof" or TargetProcessName endswith "/netstat") and (not((ActingProcessCommandLine contains "/usr/bin/landscape-sysinfo" and TargetProcessName endswith "/who")))Scenario: System administrators using nmap to perform network discovery during a security audit.
Filter/Exclusion: Exclude processes where the command line includes nmap and the user is a member of the sudo group or has administrative privileges.
Scenario: Scheduled job using netstat to monitor active connections for system health checks.
Filter/Exclusion: Exclude processes where the command line includes netstat and the process is initiated by a known monitoring tool like monit or systemd service.
Scenario: Developers using tcpdump to capture network traffic for debugging application behavior.
Filter/Exclusion: Exclude processes where the command line includes tcpdump and the process is associated with a development environment or specific project directory.
Scenario: Use of ss (socket statistics) by the system’s logging or monitoring daemon (e.g., rsyslog, auditd).
Filter/Exclusion: Exclude processes where the command line includes ss and the parent process is a known system service or logging daemon.
Scenario: Regular use of lsof by the system’s IT team to check open files and network connections during routine maintenance.
Filter/Exclusion: Exclude processes where the command line includes lsof and the user is part of a predefined admin group or has a known maintenance task.