some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.

t1046
linux
elastic

Techniques

T1046

Sample rules

Nping Process Activity

source: elastic
technicques:
- T1046

Description

Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.

Detection logic

process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started")
 and process.name == "nping"