Techniques
Sample rules
PUA - Nmap/Zenmap Execution
- source: sigma
- technicques:
- t1046
Description
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Detection logic
condition: selection
selection:
- Image|endswith:
- \nmap.exe
- \zennmap.exe
- OriginalFileName:
- nmap.exe
- zennmap.exe
PUA - SoftPerfect Netscan Execution
- source: sigma
- technicques:
- t1046
Description
Detects usage of SoftPerfect’s “netscan.exe”. An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
Detection logic
condition: selection
selection:
- Image|endswith: \netscan.exe
- Product: Network Scanner
- Description: Application for scanning networks
OpenSSH Server Listening On Socket
- source: sigma
- technicques:
- t1021
- t1021.004
Description
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
Detection logic
condition: selection
selection:
EventID: 4
payload|startswith: 'Server listening on '
process: sshd
PUA - RemCom Default Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
- t1569
- t1569.002
Description
Detects default RemCom pipe creation
Detection logic
condition: selection
selection:
PipeName|contains: \RemCom
PUA - CSExec Default Named Pipe
- source: sigma
- technicques:
- t1021
- t1021.002
- t1569
- t1569.002
Description
Detects default CSExec pipe creation
Detection logic
condition: selection
selection:
PipeName|contains: \csexecsvc