| ID | Technique | Tactic |
|---|---|---|
| T1016 | System Network Configuration Discovery | Discovery |
Detection: Linux System Network Discovery
Description
The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," and "route" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.
Search
1
2| tstats `security_content_summariesonly`
3 count min(_time) as firstTime
4 max(_time) as lastTime
5 values(Processes.action) as action
6 values(Processes.original_file_name) as original_file_name
7 values(Processes.parent_process_exec) as parent_process_exec
8 values(Processes.parent_process_guid) as parent_process_guid
9 values(Processes.parent_process_id) as parent_process_id
10 values(Processes.parent_process_name) as parent_process_name
11 values(Processes.parent_process_path) as parent_process_path
12 values(Processes.parent_process) as parent_process
13 values(Processes.process_exec) as process_exec
14 values(Processes.process_guid) as process_guid
15 values(Processes.process_hash) as process_hash
16 values(Processes.process_id) as process_id
17 values(Processes.process_integrity_level) as process_integrity_level
18 values(Processes.process_name) as process_name
19 values(Processes.process_path) as process_path
20 values(Processes.process) as process
21 values(Processes.user_id) as user_id
22 values(Processes.vendor_product) as vendor_product
23 dc(Processes.process_name) as process_name_count
24FROM datamodel=Endpoint.Processes WHERE
25
26Processes.process_name IN (
27 "arp",
28 "firewall-cmd",
29 "ifconfig",
30 "ip",
31 "iptables",
32 "netstat",
33 "route",
34 "ss",
35 "ufw"
36)
37
38BY _time span=30m Processes.dest Processes.user
39
40
41| where process_name_count>=4
42
43
44| `drop_dm_object_name(Processes)`
45
46| `security_content_ctime(firstTime)`
47
48| `security_content_ctime(lastTime)`
49
50| `linux_system_network_discovery_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | 'osquery:results' |
'osquery' |
| Sysmon for Linux EventID 1 |  Linux |
'sysmon:linux' |
'Syslog:Linux-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| linux_system_network_discovery_filter | search * |
linux_system_network_discovery_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
APT19
APT3
APT32
APT41
APT42
BlackByte
Chimera
Darkhotel
Dragonfly
Earth Lusca
FIN13
GALLIUM
HAFNIUM
HEXANE
Higaisa
Ke3chang
Kimsuky
Lazarus Group
Lotus Blossom
Magic Hound
Medusa Group
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Naikon
OilRig
Play
Scattered Spider
SideCopy
Sidewinder
Stealth Falcon
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
Volt Typhoon
Wizard Spider
ZIRCONIUM
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Administrator or network operator can execute this command. Please update the filter macros to remove false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Network discovery process $process$ executed on $dest$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 20 | process, process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
| Integration | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 10