Home/Detection rules

Deployable detection rules

6 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1016 ×

Detections

6 shown of 6
Splunk ESCU SPL T1016 ↗
Linux Auditd System Network Configuration Discovery
The following analytic detects suspicious system network configuration discovery activities, which may indicate an adversary's attempt to gather information about the network environment. Such actions typically involve commands or tools used to identify network interfaces, routing tables, and active connections. Detecting these activities is crucial, as they often precede more targeted attacks like lateral movement or data exfiltration. By identifying unusual or unauthorized network discovery efforts, this analytic helps security teams to swiftly detect and respond to potential reconnaissance operations, mitigating the risk of further compromise.
Show query 
`linux_auditd` type=SYSCALL comm IN ("arp", "ifconfig", "ip", "netstat", "firewall-cmd", "ufw", "iptables", "ss", "route")
  | bucket _time span=15m
  | rename host as dest
  | stats dc(comm) as unique_commands, values(comm) as comm, values(exe) as exe, values(syscall) as syscall, values(uid) as uid, values(ppid) as ppid, values(pid) as pid, count, min(_time) as firstTime, max(_time) as lastTime
    BY success dest
  | where unique_commands >= 4
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_system_network_configuration_discovery_filter`
Splunk ESCU SPL T1016 ↗
Linux System Network Discovery
The following analytic identifies potential enumeration of local network configuration on Linux systems. It detects this activity by monitoring processes such as "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," and "route" within a 30-minute window. This behavior is significant as it often indicates reconnaissance efforts by adversaries to gather network information for subsequent attacks. If confirmed malicious, this activity could enable attackers to map the network, identify vulnerabilities, and plan further exploitation or lateral movement within the environment.
Show query 
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
        values(Processes.action) as action
        values(Processes.original_file_name) as original_file_name
        values(Processes.parent_process_exec) as parent_process_exec
        values(Processes.parent_process_guid) as parent_process_guid
        values(Processes.parent_process_id) as parent_process_id
        values(Processes.parent_process_name) as parent_process_name
        values(Processes.parent_process_path) as parent_process_path
        values(Processes.parent_process) as parent_process
        values(Processes.process_exec) as process_exec
        values(Processes.process_guid) as process_guid
        values(Processes.process_hash) as process_hash
        values(Processes.process_id) as process_id
        values(Processes.process_integrity_level) as process_integrity_level
        values(Processes.process_name) as process_name
        values(Processes.process_path) as process_path
        values(Processes.process) as process
        values(Processes.user_id) as user_id
        values(Processes.vendor_product) as vendor_product
        dc(Processes.process_name) as process_name_count
FROM datamodel=Endpoint.Processes WHERE

Processes.process_name IN (
    "arp",
    "firewall-cmd",
    "ifconfig",
    "ip",
    "iptables",
    "netstat",
    "route",
    "ss",
    "ufw"
)

BY _time span=30m Processes.dest Processes.user

| where process_name_count>=4

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_system_network_discovery_filter`
Splunk ESCU SPL T1016 ↗
MacOS List Firewall Rules
This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall. Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`. These commands provide insight into firewall status, allowed applications, and explicit authorization rules. While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows. Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints
Show query 
| tstats `security_content_summariesonly`
  count
  values(Processes.parent_process) AS parent_process
  values(Processes.parent_process_exec) AS parent_process_exec
  values(Processes.parent_process_id) AS parent_process_id
  values(Processes.parent_process_name) AS parent_process_name
  values(Processes.parent_process_path) AS parent_process_path
  min(_time) as firstTime
  max(_time) as lastTime

from datamodel=Endpoint.Processes where
(
Processes.process_name = "defaults"
Processes.process = "* read *",
Processes.process = "*/Library/Preferences/com.apple.alf*"
)
OR
(
  Processes.process_name = "socketfilterfw"
  Processes.process = "*--getglobalstate*"
)

by Processes.action Processes.dest Processes.process Processes.process_hash
   Processes.process_id Processes.process_name Processes.process_path
   Processes.user Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_list_firewall_rules_filter`
Splunk ESCU SPL T1016.001 ↗
Network Discovery Using Route Windows App
The following analytic detects the execution of the `route.exe` Windows application, commonly used for network discovery. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because adversaries often use `route.exe` to map network routes and identify potential targets within a network. If confirmed malicious, this behavior could allow attackers to gain insights into network topology, facilitating lateral movement and further exploitation. Note that false positives may occur due to legitimate administrative tasks or automated scripts.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
(Processes.process_name=route.exe OR Processes.original_file_name=route.exe)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `network_discovery_using_route_windows_app_filter`
Splunk ESCU SPL T1016 ↗
Potential System Network Configuration Discovery Activity
The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.
Show query 
| tstats `security_content_summariesonly`
  count values(Processes.process) as process
        values(Processes.parent_process) as parent_process
        min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where

NOT Processes.user IN ("","unknown")

by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product _time

| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| search process_name IN (
          "arp.exe",
          "dsquery.exe",
          "hostname.exe",
          "ipconfig.exe",
          "nbstat.exe",
          "net.exe",
          "net1.exe",
          "nltest.exe",
          "netsh.exe",
          "nslookup.exe",
          "ping.exe",
          "quser.exe",
          "qwinsta.exe",
          "telnet.exe",
          "tracert.exe",
        )
| transaction dest connected=false maxpause=5m
| where eventcount>=5
| `potential_system_network_configuration_discovery_activity_filter`
Splunk ESCU SPL T1016 ↗
Windows System Network Config Discovery Display DNS
The following analytic identifies the execution of the "ipconfig /displaydns" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name="ipconfig.exe"
    OR
    Processes.original_file_name = "ipconfig.exe"
    AND
    Processes.process = "*/displaydns*"
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_network_config_discovery_display_dns_filter`
Showing 1-6 of 6
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh