Network Discovery

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the network discovery, including looking for network configuration, settings such as IP, MAC address, firewall settings and many more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• Last Updated: 2022-02-14
• Author: Teoderick Contreras, Splunk
• ID: af228995-f182-49d7-90b3-2a732944f00f

Narrative

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Detections

Name	Technique	Type
Internal Horizontal Port Scan	Network Service Discovery	TTP
Internal Vertical Port Scan	Network Service Discovery	TTP
Internal Vulnerability Scan	Vulnerability Scanning, Network Service Discovery	TTP
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
Windows Network Share Interaction With Net	Network Share Discovery, Data from Network Shared Drive	TTP

Reference

• https://attack.mitre.org/techniques/T1016/
• https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

source | version: 1