Adversaries may use network discovery to map the local network and identify potential targets, which is a common step in initial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of network reconnaissance and limit lateral movement opportunities.
Detection Rule
title: System Network Discovery - Linux
id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: Ömer Günal and remotephone, oscd.community
date: 2020-10-06
modified: 2022-09-15
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/firewall-cmd'
- '/ufw'
- '/iptables'
- '/netstat'
- '/ss'
- '/ip'
- '/ifconfig'
- '/systemd-resolve'
- '/route'
selection_cli:
CommandLine|contains: '/etc/resolv.conf'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: informational
imProcessCreate
| where (TargetProcessName endswith "/firewall-cmd" or TargetProcessName endswith "/ufw" or TargetProcessName endswith "/iptables" or TargetProcessName endswith "/netstat" or TargetProcessName endswith "/ss" or TargetProcessName endswith "/ip" or TargetProcessName endswith "/ifconfig" or TargetProcessName endswith "/systemd-resolve" or TargetProcessName endswith "/route") or TargetProcessCommandLine contains "/etc/resolv.conf"Scenario: System Network Configuration Audit via ip a or ifconfig
Description: A system administrator is performing a routine network configuration audit using tools like ip a or ifconfig to check interface details.
Filter/Exclusion: Check for presence of ip a or ifconfig in the command line, or filter by user (e.g., user == "root" or user == "admin").
Scenario: Scheduled Network Monitoring Job
Description: A scheduled job runs periodically to monitor network interfaces using a script that executes nmcli or ip route to gather network information.
Filter/Exclusion: Filter by process name (e.g., process.name == "network-monitor.sh"), or check for presence of a known monitoring script in the command line.
Scenario: Network Enumeration via nmap for Security Assessment
Description: A security team is conducting a network scan using nmap to assess internal network connectivity and identify devices.
Filter/Exclusion: Filter for nmap in the command line, or check for presence of a security team user (e.g., user == "security-team").
Scenario: Systemd Service Configuration Check
Description: A system administrator is checking systemd service configurations using systemctl status or journalctl to verify network-related services.
Filter/Exclusion: Filter for systemctl or journalctl in the command line, or check for presence of known administrative tasks in the command history.
Scenario: Network Interface Configuration via nmcli in GUI Tool
Description: A user is configuring network interfaces through a GUI tool that uses nmcli in the background to apply settings.
Filter/Exclusion: Filter for nmcli in the