51 lines
1.3 KiB
YAML
51 lines
1.3 KiB
YAML
title: Nmap Execution on Linux
|
|
id: 4a6b2e5c-3f81-4d9a-bc07-e2f1a9d83c14
|
|
status: experimental
|
|
description: |
|
|
Detects the execution of the nmap binary on Linux systems.
|
|
Nmap is a network scanner commonly used during reconnaissance
|
|
and lateral movement phases by attackers.
|
|
references:
|
|
- https://nmap.org/
|
|
- https://attack.mitre.org/techniques/T1046/
|
|
- https://attack.mitre.org/techniques/T1595/
|
|
author: Detection Engineer
|
|
date: 2024-01-15
|
|
tags:
|
|
- attack.discovery
|
|
- attack.T1046
|
|
- attack.reconnaissance
|
|
- attack.T1595
|
|
logsource:
|
|
category: process_creation
|
|
product: linux
|
|
detection:
|
|
selection_img:
|
|
Image|endswith:
|
|
- '/nmap'
|
|
- '/nmap7'
|
|
selection_cmd:
|
|
CommandLine|contains:
|
|
- 'nmap '
|
|
- '/usr/bin/nmap'
|
|
- '/usr/local/bin/nmap'
|
|
- '/snap/bin/nmap'
|
|
filter_legit_users:
|
|
User|contains:
|
|
- 'songbird'
|
|
|
|
condition: 1 of selection_* and not 1 of filter_*
|
|
|
|
falsepositives:
|
|
- Legitimate network audits by system administrators
|
|
- Authorized penetration testing activities
|
|
- Security team scheduled scans
|
|
- Monitoring or CMDB discovery tools
|
|
level: medium
|
|
fields:
|
|
- Image
|
|
- CommandLine
|
|
- User
|
|
- ParentImage
|
|
- ParentCommandLine
|
|
- ProcessId
|