Skip to content
Threat Feed
medium advisory

Linux System Network Discovery via Multiple Utilities

Adversaries may attempt to enumerate local network configurations on Linux systems using common utilities like arp, ifconfig, ip, netstat, firewall-cmd, ufw, iptables, ss, and route to gather information for reconnaissance and subsequent attacks, leading to network mapping and vulnerability identification.

This detection focuses on identifying potential network reconnaissance activity on Linux systems. It monitors for the execution of multiple common network utilities within a short timeframe, specifically processes like "arp," "ifconfig," "ip," "netstat," "firewall-cmd," "ufw," "iptables," "ss," and "route." This behavior, when observed in rapid succession, is indicative of an attacker attempting to map the network, identify potential targets, and gather information for lateral movement or further exploitation. This type of activity is a common precursor to more significant attacks such as data exfiltration or ransomware deployment. The detection leverages process monitoring logs and aggregates process execution events within a 30-minute window.

Attack Chain

  1. Initial Access: An attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using stolen credentials.
  2. Privilege Escalation (Optional): If necessary, the attacker escalates privileges to gain root or administrator access.
  3. Network Enumeration: The attacker executes a series of network enumeration commands using utilities like ip addr, ifconfig, and netstat to discover network interfaces, IP addresses, and routing information.
  4. Firewall Discovery: The attacker uses firewall-cmd, iptables, or ufw to identify firewall rules and configurations, potentially seeking weaknesses or misconfigurations.
  5. ARP Table Examination: The attacker uses the arp command to map IP addresses to MAC addresses on the local network segment.
  6. Port Scanning (Optional): The attacker may use ss or netstat to identify open ports and services running on the local machine or other systems on the network.
  7. Route Table Examination: The attacker uses the route command to understand network routing configurations and identify potential paths for lateral movement.
  8. Lateral Movement/Further Exploitation: Using the gathered network information, the attacker plans and executes further exploitation, lateral movement, or data exfiltration.

Impact

Successful network discovery allows attackers to map the network, identify vulnerable systems, and plan further attacks. This can lead to data breaches, system compromise, and disruption of services. While this detection itself does not indicate a breach, it is a strong indicator of reconnaissance activity preceding a more significant attack. Compromised systems could be leveraged for lateral movement, data exfiltration, or deployment of ransomware, impacting potentially hundreds or thousands of systems, depending on the size of the network.

Recommendation

  • Deploy the Sigma rule Detect Multiple Network Discovery Tools to your SIEM and tune it for your environment.
  • Enable Sysmon for Linux Event ID 1 or equivalent process execution logging to provide the data source for the Sigma rule.
  • Investigate any alerts generated by the Sigma rule, focusing on the user accounts and processes involved in the network discovery activity.
  • Review firewall configurations and network segmentation policies to limit the potential impact of lateral movement.
  • Implement the provided RBA (Risk Based Alerting) configuration in your Splunk environment to prioritize and score incidents based on the involved assets and users.

Detection coverage 2

Detect Multiple Network Discovery Tools

medium

Detects the execution of multiple network discovery tools within a 30-minute timeframe on a Linux system, indicative of reconnaissance activity.

sigma tactics: discovery techniques: T1016 sources: process_creation, linux

Detect Network Configuration Changes via Firewall-cmd

low

Detects attempts to modify firewall configurations using firewall-cmd on Linux systems.

sigma tactics: defense_evasion techniques: T1562.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →