title: Nmap Execution on Linux
id: 4a6b2e5c-3f81-4d9a-bc07-e2f1a9d83c14
status: experimental
description: |
    Detects the execution of the nmap binary on Linux systems.
    Nmap is a network scanner commonly used during reconnaissance
    and lateral movement phases by attackers.
references:
    - https://nmap.org/
    - https://attack.mitre.org/techniques/T1046/
    - https://attack.mitre.org/techniques/T1595/
author: Detection Engineer
date: 2024-01-15
tags:
    - attack.discovery
    - attack.T1046
    - attack.reconnaissance
    - attack.T1595
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/nmap'
            - '/nmap7'
    selection_cmd:
        CommandLine|contains:
            - 'nmap '
            - '/usr/bin/nmap'
            - '/usr/local/bin/nmap'
            - '/snap/bin/nmap'
    filter_legit_users:
        User|contains:
            - 'songbird'

    condition: 1 of selection_* and not 1 of filter_*

falsepositives:
    - Legitimate network audits by system administrators
    - Authorized penetration testing activities
    - Security team scheduled scans
    - Monitoring or CMDB discovery tools
level: medium
fields:
    - Image
    - CommandLine
    - User
    - ParentImage
    - ParentCommandLine
    - ProcessId