LoFP LoFP / it is uncommon for normal users to execute a series of commands used for network discovery. system administrators often use scripts to execute these commands. these can generate false positives.

Techniques

Sample rules

Potential System Network Configuration Discovery Activity

Description

The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.

Detection logic


| tstats `security_content_summariesonly` 
  count values(Processes.process) as process
        values(Processes.parent_process) as parent_process
        min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where

NOT Processes.user IN ("","unknown")

by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product _time


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `drop_dm_object_name(Processes)`

| search process_name IN (
          "arp.exe",
          "dsquery.exe",
          "hostname.exe",
          "ipconfig.exe",
          "nbstat.exe",
          "net.exe",
          "net1.exe",
          "nltest.exe",
          "netsh.exe",
          "nslookup.exe",
          "ping.exe",
          "quser.exe",
          "qwinsta.exe",
          "telnet.exe",
          "tracert.exe",
        )

| transaction dest connected=false maxpause=5m

| where eventcount>=5

| `potential_system_network_configuration_discovery_activity_filter`